[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 23.211556] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 25.368407] random: sshd: uninitialized urandom read (32 bytes read) [ 25.576212] random: sshd: uninitialized urandom read (32 bytes read) [ 26.128549] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.15.211' (ECDSA) to the list of known hosts. [ 31.815724] urandom_read: 1 callbacks suppressed [ 31.815729] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 31.917381] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html for details. [ 31.942133] ================================================================== [ 31.951982] BUG: KASAN: use-after-free in __schedule+0xf54/0x1df0 [ 31.958207] Read of size 8 at addr ffff8801b6448058 by task syz-executor979/4664 [ 31.965727] [ 31.967352] CPU: 0 PID: 4664 Comm: syz-executor979 Not tainted 4.19.0-rc1+ #217 [ 31.974788] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.984130] Call Trace: [ 31.986720] dump_stack+0x1c9/0x2b4 [ 31.990349] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.995540] ? printk+0xa7/0xcf [ 31.998820] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 32.003575] ? __schedule+0xf54/0x1df0 [ 32.007462] print_address_description+0x6c/0x20b [ 32.012302] ? __schedule+0xf54/0x1df0 [ 32.016191] kasan_report.cold.7+0x242/0x30d [ 32.020599] __asan_report_load8_noabort+0x14/0x20 [ 32.025538] __schedule+0xf54/0x1df0 [ 32.029257] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 32.034361] ? __sched_text_start+0x8/0x8 [ 32.038520] ? __call_srcu+0x7e7/0x1040 [ 32.042538] ? check_same_owner+0x340/0x340 [ 32.046860] ? mark_held_locks+0x160/0x160 [ 32.051093] ? find_held_lock+0x36/0x1c0 [ 32.055157] preempt_schedule_common+0x22/0x60 [ 32.059735] _cond_resched+0x1d/0x30 [ 32.063446] wait_for_completion+0xa5/0x8d0 [ 32.067768] ? wait_for_completion_interruptible+0x950/0x950 [ 32.073566] ? __lockdep_init_map+0x105/0x590 [ 32.078059] ? __init_waitqueue_head+0x9e/0x150 [ 32.082725] ? init_wait_entry+0x1c0/0x1c0 [ 32.088620] __synchronize_srcu+0x189/0x240 [ 32.092940] ? call_srcu+0x10/0x10 [ 32.096477] ? rcu_unexpedite_gp+0x20/0x20 [ 32.100732] synchronize_srcu+0x335/0x56f [ 32.104881] ? lock_downgrade+0x8f0/0x8f0 [ 32.109032] ? synchronize_srcu_expedited+0x20/0x20 [ 32.114060] ? kasan_check_read+0x11/0x20 [ 32.118214] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 32.122804] ? kasan_check_write+0x14/0x20 [ 32.127045] ? do_raw_spin_lock+0xc1/0x200 [ 32.131286] kvm_page_track_unregister_notifier+0x17d/0x250 [ 32.136996] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 32.142445] ? kvfree+0x61/0x70 [ 32.145724] ? rcu_read_lock_sched_held+0x108/0x120 [ 32.150739] kvm_mmu_uninit_vm+0x1c/0x20 [ 32.154797] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 32.159206] ? kvm_arch_sync_events+0x30/0x30 [ 32.163702] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 32.169240] ? mmu_notifier_unregister+0x474/0x600 [ 32.174162] ? trace_hardirqs_on+0x2c0/0x2c0 [ 32.178570] ? kfree+0x111/0x210 [ 32.181933] ? __mmu_notifier_register+0x30/0x30 [ 32.186690] ? __free_pages+0x10a/0x190 [ 32.190667] ? free_unref_page+0x930/0x930 [ 32.194908] kvm_put_kvm+0x73f/0x1060 [ 32.198713] ? kvm_write_guest_cached+0x40/0x40 [ 32.203385] ? _raw_spin_unlock_irq+0x27/0x70 [ 32.207874] ? _raw_spin_unlock_irq+0x27/0x70 [ 32.212365] ? lockdep_hardirqs_on+0x421/0x5c0 [ 32.216953] ? kasan_check_write+0x14/0x20 [ 32.221184] ? do_raw_spin_lock+0xc1/0x200 [ 32.225418] ? kvm_irqfd_release+0xdd/0x120 [ 32.229744] ? kvm_irqfd_release+0xdd/0x120 [ 32.234069] ? kvm_put_kvm+0x1060/0x1060 [ 32.238126] kvm_vm_release+0x42/0x50 [ 32.241925] __fput+0x38a/0xa40 [ 32.245205] ? __alloc_file+0x400/0x400 [ 32.249179] ? check_same_owner+0x340/0x340 [ 32.253497] ? kasan_check_write+0x14/0x20 [ 32.257743] ? do_raw_spin_lock+0xc1/0x200 [ 32.261975] ____fput+0x15/0x20 [ 32.265253] task_work_run+0x1e8/0x2a0 [ 32.269137] ? task_work_cancel+0x240/0x240 [ 32.273459] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 32.278995] ? switch_task_namespaces+0xa2/0xd0 [ 32.283661] do_exit+0x1ae4/0x26e0 [ 32.287202] ? mm_update_next_owner+0x9a0/0x9a0 [ 32.291878] ? kvm_vcpu_ioctl+0x2b5/0x1280 [ 32.296115] ? rcu_read_lock_sched_held+0x108/0x120 [ 32.301130] ? kfree+0x1d7/0x210 [ 32.304495] ? kvm_vcpu_ioctl+0x2ba/0x1280 [ 32.308743] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 32.314456] ? _raw_spin_unlock_irq+0x27/0x70 [ 32.318949] ? finish_task_switch+0x1d3/0x870 [ 32.323435] ? finish_task_switch+0x18a/0x870 [ 32.327925] ? __switch_to_asm+0x34/0x70 [ 32.331987] ? preempt_notifier_register+0x200/0x200 [ 32.337083] ? __switch_to_asm+0x34/0x70 [ 32.341138] ? __switch_to_asm+0x34/0x70 [ 32.345194] ? __switch_to_asm+0x40/0x70 [ 32.349250] ? __switch_to_asm+0x34/0x70 [ 32.353305] ? __switch_to_asm+0x40/0x70 [ 32.357360] ? __switch_to_asm+0x34/0x70 [ 32.361414] ? __switch_to_asm+0x40/0x70 [ 32.365469] ? __switch_to_asm+0x34/0x70 [ 32.369547] ? __switch_to_asm+0x34/0x70 [ 32.373620] ? __switch_to_asm+0x40/0x70 [ 32.377710] ? __switch_to_asm+0x34/0x70 [ 32.381777] ? __switch_to_asm+0x40/0x70 [ 32.385838] ? __switch_to_asm+0x34/0x70 [ 32.389894] ? __switch_to_asm+0x40/0x70 [ 32.393962] ? __sched_text_start+0x8/0x8 [ 32.398105] ? trace_hardirqs_off+0xb8/0x2b0 [ 32.402521] ? kasan_check_read+0x11/0x20 [ 32.406670] ? do_raw_spin_unlock+0xa7/0x2f0 [ 32.411071] ? trace_hardirqs_on+0x2c0/0x2c0 [ 32.415499] ? initcall_blacklisted+0x9a/0x1e0 [ 32.420094] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 32.425197] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 32.430906] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.436442] ? do_vfs_ioctl+0x201/0x1720 [ 32.440501] ? ioctl_preallocate+0x300/0x300 [ 32.444919] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.450451] ? __fget_light+0x2f7/0x440 [ 32.454420] ? __schedule+0x1df0/0x1df0 [ 32.458394] ? fget_raw+0x20/0x20 [ 32.461845] ? trace_hardirqs_off+0xb8/0x2b0 [ 32.466253] ? kmem_cache_free+0x246/0x280 [ 32.470489] ? do_syscall_64+0x6be/0x820 [ 32.474568] ? trace_hardirqs_on+0x2c0/0x2c0 [ 32.478971] ? putname+0xf7/0x130 [ 32.482428] do_group_exit+0x177/0x440 [ 32.486311] ? trace_hardirqs_on+0xbd/0x2c0 [ 32.490627] ? __ia32_sys_exit+0x50/0x50 [ 32.494696] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 32.499803] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.505338] ? ksys_ioctl+0x81/0xd0 [ 32.508969] __x64_sys_exit_group+0x3e/0x50 [ 32.513291] do_syscall_64+0x1b9/0x820 [ 32.517181] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 32.522547] ? syscall_return_slowpath+0x5e0/0x5e0 [ 32.527474] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.532327] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 32.537344] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 32.542358] ? prepare_exit_to_usermode+0x291/0x3b0 [ 32.547377] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.552219] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.557404] RIP: 0033:0x43ef08 [ 32.560596] Code: Bad RIP value. [ 32.563954] RSP: 002b:00007ffcf2140238 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 32.571665] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ef08 [ 32.578929] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 32.586193] RBP: 00000000004be7c8 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 32.593459] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 32.600724] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 32.607992] [ 32.609610] Allocated by task 4664: [ 32.613236] save_stack+0x43/0xd0 [ 32.616683] kasan_kmalloc+0xc4/0xe0 [ 32.620392] kasan_slab_alloc+0x12/0x20 [ 32.624358] kmem_cache_alloc+0x12e/0x710 [ 32.628511] vmx_create_vcpu+0xcf/0x2830 [ 32.632582] kvm_arch_vcpu_create+0xe5/0x220 [ 32.636989] kvm_vm_ioctl+0x488/0x1d80 [ 32.640874] do_vfs_ioctl+0x1de/0x1720 [ 32.644756] ksys_ioctl+0xa9/0xd0 [ 32.648203] __x64_sys_ioctl+0x73/0xb0 [ 32.652086] do_syscall_64+0x1b9/0x820 [ 32.655969] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.661144] [ 32.662764] Freed by task 4664: [ 32.666038] save_stack+0x43/0xd0 [ 32.669485] __kasan_slab_free+0x11a/0x170 [ 32.673725] kasan_slab_free+0xe/0x10 [ 32.677529] kmem_cache_free+0x86/0x280 [ 32.681498] vmx_free_vcpu+0x26b/0x300 [ 32.685394] kvm_arch_destroy_vm+0x365/0x7c0 [ 32.689801] kvm_put_kvm+0x73f/0x1060 [ 32.693595] kvm_vm_release+0x42/0x50 [ 32.697387] __fput+0x38a/0xa40 [ 32.700661] ____fput+0x15/0x20 [ 32.703934] task_work_run+0x1e8/0x2a0 [ 32.707816] do_exit+0x1ae4/0x26e0 [ 32.711350] do_group_exit+0x177/0x440 [ 32.715235] __x64_sys_exit_group+0x3e/0x50 [ 32.719554] do_syscall_64+0x1b9/0x820 [ 32.723435] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.728613] [ 32.730238] The buggy address belongs to the object at ffff8801b6448040 [ 32.730238] which belongs to the cache kvm_vcpu of size 23872 [ 32.742817] The buggy address is located 24 bytes inside of [ 32.742817] 23872-byte region [ffff8801b6448040, ffff8801b644dd80) [ 32.754773] The buggy address belongs to the page: [ 32.759697] page:ffffea0006d91200 count:1 mapcount:0 mapping:ffff8801d5166d80 index:0x0 compound_mapcount: 0 [ 32.769667] flags: 0x2fffc0000008100(slab|head) [ 32.774336] raw: 02fffc0000008100 ffff8801d5161e48 ffff8801d5161e48 ffff8801d5166d80 [ 32.782215] raw: 0000000000000000 ffff8801b6448040 0000000100000001 0000000000000000 [ 32.790085] page dumped because: kasan: bad access detected [ 32.795779] [ 32.797397] Memory state around the buggy address: [ 32.802319] ffff8801b6447f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.809671] ffff8801b6447f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.817026] >ffff8801b6448000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 32.824377] ^ [ 32.830598] ffff8801b6448080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.837949] ffff8801b6448100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.845296] ================================================================== [ 32.852642] Kernel panic - not syncing: panic_on_warn set ... [ 32.852642] [ 32.860005] CPU: 0 PID: 4664 Comm: syz-executor979 Tainted: G B 4.19.0-rc1+ #217 [ 32.868829] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.878175] Call Trace: [ 32.880768] dump_stack+0x1c9/0x2b4 [ 32.884396] ? dump_stack_print_info.cold.2+0x52/0x52 [ 32.890210] ? lock_downgrade+0x8f0/0x8f0 [ 32.894355] ? __schedule+0xf54/0x1df0 [ 32.898237] panic+0x238/0x4e7 [ 32.901424] ? add_taint.cold.5+0x16/0x16 [ 32.905572] ? print_shadow_for_address+0xba/0x116 [ 32.910496] ? trace_hardirqs_off+0xaf/0x2b0 [ 32.914911] ? trace_hardirqs_off+0x77/0x2b0 [ 32.919320] ? __schedule+0xf54/0x1df0 [ 32.923202] kasan_end_report+0x47/0x4f [ 32.927175] kasan_report.cold.7+0x76/0x30d [ 32.931495] __asan_report_load8_noabort+0x14/0x20 [ 32.936698] __schedule+0xf54/0x1df0 [ 32.940416] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 32.945531] ? __sched_text_start+0x8/0x8 [ 32.949682] ? __call_srcu+0x7e7/0x1040 [ 32.953661] ? check_same_owner+0x340/0x340 [ 32.957974] ? mark_held_locks+0x160/0x160 [ 32.962205] ? find_held_lock+0x36/0x1c0 [ 32.966269] preempt_schedule_common+0x22/0x60 [ 32.970849] _cond_resched+0x1d/0x30 [ 32.974558] wait_for_completion+0xa5/0x8d0 [ 32.978879] ? wait_for_completion_interruptible+0x950/0x950 [ 32.984674] ? __lockdep_init_map+0x105/0x590 [ 32.989167] ? __init_waitqueue_head+0x9e/0x150 [ 32.993830] ? init_wait_entry+0x1c0/0x1c0 [ 32.998064] __synchronize_srcu+0x189/0x240 [ 33.002381] ? call_srcu+0x10/0x10 [ 33.005919] ? rcu_unexpedite_gp+0x20/0x20 [ 33.010157] synchronize_srcu+0x335/0x56f [ 33.014300] ? lock_downgrade+0x8f0/0x8f0 [ 33.018443] ? synchronize_srcu_expedited+0x20/0x20 [ 33.023458] ? kasan_check_read+0x11/0x20 [ 33.027601] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 33.032180] ? kasan_check_write+0x14/0x20 [ 33.036415] ? do_raw_spin_lock+0xc1/0x200 [ 33.040650] kvm_page_track_unregister_notifier+0x17d/0x250 [ 33.046358] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 33.051815] ? kvfree+0x61/0x70 [ 33.055097] ? rcu_read_lock_sched_held+0x108/0x120 [ 33.060113] kvm_mmu_uninit_vm+0x1c/0x20 [ 33.064171] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 33.068577] ? kvm_arch_sync_events+0x30/0x30 [ 33.073072] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 33.078610] ? mmu_notifier_unregister+0x474/0x600 [ 33.083543] ? trace_hardirqs_on+0x2c0/0x2c0 [ 33.087945] ? kfree+0x111/0x210 [ 33.091308] ? __mmu_notifier_register+0x30/0x30 [ 33.096063] ? __free_pages+0x10a/0x190 [ 33.100035] ? free_unref_page+0x930/0x930 [ 33.104278] kvm_put_kvm+0x73f/0x1060 [ 33.108082] ? kvm_write_guest_cached+0x40/0x40 [ 33.112751] ? _raw_spin_unlock_irq+0x27/0x70 [ 33.117243] ? _raw_spin_unlock_irq+0x27/0x70 [ 33.121732] ? lockdep_hardirqs_on+0x421/0x5c0 [ 33.126317] ? kasan_check_write+0x14/0x20 [ 33.130555] ? do_raw_spin_lock+0xc1/0x200 [ 33.134791] ? kvm_irqfd_release+0xdd/0x120 [ 33.139107] ? kvm_irqfd_release+0xdd/0x120 [ 33.143427] ? kvm_put_kvm+0x1060/0x1060 [ 33.147484] kvm_vm_release+0x42/0x50 [ 33.151292] __fput+0x38a/0xa40 [ 33.154569] ? __alloc_file+0x400/0x400 [ 33.158551] ? check_same_owner+0x340/0x340 [ 33.162872] ? kasan_check_write+0x14/0x20 [ 33.167106] ? do_raw_spin_lock+0xc1/0x200 [ 33.171340] ____fput+0x15/0x20 [ 33.174615] task_work_run+0x1e8/0x2a0 [ 33.178497] ? task_work_cancel+0x240/0x240 [ 33.182834] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 33.188368] ? switch_task_namespaces+0xa2/0xd0 [ 33.193034] do_exit+0x1ae4/0x26e0 [ 33.196580] ? mm_update_next_owner+0x9a0/0x9a0 [ 33.201250] ? kvm_vcpu_ioctl+0x2b5/0x1280 [ 33.205483] ? rcu_read_lock_sched_held+0x108/0x120 [ 33.210520] ? kfree+0x1d7/0x210 [ 33.213889] ? kvm_vcpu_ioctl+0x2ba/0x1280 [ 33.218123] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 33.223832] ? _raw_spin_unlock_irq+0x27/0x70 [ 33.228326] ? finish_task_switch+0x1d3/0x870 [ 33.232817] ? finish_task_switch+0x18a/0x870 [ 33.237308] ? __switch_to_asm+0x34/0x70 [ 33.241366] ? preempt_notifier_register+0x200/0x200 [ 33.246460] ? __switch_to_asm+0x34/0x70 [ 33.250528] ? __switch_to_asm+0x34/0x70 [ 33.254581] ? __switch_to_asm+0x40/0x70 [ 33.258635] ? __switch_to_asm+0x34/0x70 [ 33.262692] ? __switch_to_asm+0x40/0x70 [ 33.266750] ? __switch_to_asm+0x34/0x70 [ 33.270806] ? __switch_to_asm+0x40/0x70 [ 33.274858] ? __switch_to_asm+0x34/0x70 [ 33.278912] ? __switch_to_asm+0x34/0x70 [ 33.282968] ? __switch_to_asm+0x40/0x70 [ 33.287027] ? __switch_to_asm+0x34/0x70 [ 33.291080] ? __switch_to_asm+0x40/0x70 [ 33.295133] ? __switch_to_asm+0x34/0x70 [ 33.299186] ? __switch_to_asm+0x40/0x70 [ 33.303252] ? __sched_text_start+0x8/0x8 [ 33.307395] ? trace_hardirqs_off+0xb8/0x2b0 [ 33.311797] ? kasan_check_read+0x11/0x20 [ 33.315940] ? do_raw_spin_unlock+0xa7/0x2f0 [ 33.320341] ? trace_hardirqs_on+0x2c0/0x2c0 [ 33.324745] ? initcall_blacklisted+0x9a/0x1e0 [ 33.329325] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 33.334427] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 33.340138] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.345678] ? do_vfs_ioctl+0x201/0x1720 [ 33.349743] ? ioctl_preallocate+0x300/0x300 [ 33.354152] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.359688] ? __fget_light+0x2f7/0x440 [ 33.363657] ? __schedule+0x1df0/0x1df0 [ 33.367626] ? fget_raw+0x20/0x20 [ 33.371075] ? trace_hardirqs_off+0xb8/0x2b0 [ 33.375480] ? kmem_cache_free+0x246/0x280 [ 33.379723] ? do_syscall_64+0x6be/0x820 [ 33.383779] ? trace_hardirqs_on+0x2c0/0x2c0 [ 33.388183] ? putname+0xf7/0x130 [ 33.391637] do_group_exit+0x177/0x440 [ 33.395530] ? trace_hardirqs_on+0xbd/0x2c0 [ 33.399849] ? __ia32_sys_exit+0x50/0x50 [ 33.403909] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 33.409013] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.414552] ? ksys_ioctl+0x81/0xd0 [ 33.418181] __x64_sys_exit_group+0x3e/0x50 [ 33.422511] do_syscall_64+0x1b9/0x820 [ 33.426402] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 33.431761] ? syscall_return_slowpath+0x5e0/0x5e0 [ 33.436688] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 33.441536] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 33.446552] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 33.451567] ? prepare_exit_to_usermode+0x291/0x3b0 [ 33.456591] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 33.461432] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.466614] RIP: 0033:0x43ef08 [ 33.469804] Code: Bad RIP value. [ 33.473159] RSP: 002b:00007ffcf2140238 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 33.480862] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ef08 [ 33.488126] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 33.495387] RBP: 00000000004be7c8 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 33.502647] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 33.509914] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 33.517188] [ 33.517194] ====================================================== [ 33.517199] WARNING: possible circular locking dependency detected [ 33.517203] 4.19.0-rc1+ #217 Not tainted [ 33.517208] ------------------------------------------------------ [ 33.517213] syz-executor979/4664 is trying to acquire lock: [ 33.517217] 000000007a87c69f ((console_sem).lock){-...}, at: down_trylock+0x13/0x70 [ 33.517232] [ 33.517236] but task is already holding lock: [ 33.517239] 00000000d78b6704 (report_lock){....}, at: kasan_report+0x8e/0x110 [ 33.517253] [ 33.517258] which lock already depends on the new lock. [ 33.517260] [ 33.517263] [ 33.517268] the existing dependency chain (in reverse order) is: [ 33.517270] [ 33.517272] -> #3 (report_lock){....}: [ 33.517287] _raw_spin_lock_irqsave+0x96/0xc0 [ 33.517291] kasan_report+0x8e/0x110 [ 33.517295] __asan_report_load8_noabort+0x14/0x20 [ 33.517299] __schedule+0xf54/0x1df0 [ 33.517303] preempt_schedule_common+0x22/0x60 [ 33.517307] _cond_resched+0x1d/0x30 [ 33.517311] wait_for_completion+0xa5/0x8d0 [ 33.517315] __synchronize_srcu+0x189/0x240 [ 33.517319] synchronize_srcu+0x335/0x56f [ 33.517324] kvm_page_track_unregister_notifier+0x17d/0x250 [ 33.517328] kvm_mmu_uninit_vm+0x1c/0x20 [ 33.517333] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 33.517336] kvm_put_kvm+0x73f/0x1060 [ 33.517340] kvm_vm_release+0x42/0x50 [ 33.517344] __fput+0x38a/0xa40 [ 33.517348] ____fput+0x15/0x20 [ 33.517351] task_work_run+0x1e8/0x2a0 [ 33.517355] do_exit+0x1ae4/0x26e0 [ 33.517359] do_group_exit+0x177/0x440 [ 33.517363] __x64_sys_exit_group+0x3e/0x50 [ 33.517367] do_syscall_64+0x1b9/0x820 [ 33.517372] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.517374] [ 33.517376] -> #2 (&rq->lock){-.-.}: [ 33.517390] _raw_spin_lock+0x2a/0x40 [ 33.517394] task_fork_fair+0x93/0x680 [ 33.517398] sched_fork+0x44b/0xbd0 [ 33.517402] copy_process+0x235e/0x7ad0 [ 33.517405] _do_fork+0x1ca/0x1170 [ 33.517409] kernel_thread+0x34/0x40 [ 33.517413] rest_init+0x22/0xe4 [ 33.517416] start_kernel+0x913/0x94e [ 33.517421] x86_64_start_reservations+0x29/0x2b [ 33.517425] x86_64_start_kernel+0x76/0x79 [ 33.517429] secondary_startup_64+0xa4/0xb0 [ 33.517431] [ 33.517434] -> #1 (&p->pi_lock){-.-.}: [ 33.517448] _raw_spin_lock_irqsave+0x96/0xc0 [ 33.517452] try_to_wake_up+0xd2/0x1250 [ 33.517456] wake_up_process+0x10/0x20 [ 33.517460] __up.isra.1+0x1c0/0x2a0 [ 33.517463] up+0x13c/0x1c0 [ 33.517467] __up_console_sem+0xbe/0x1b0 [ 33.517471] console_unlock+0x506/0x10d0 [ 33.517475] vprintk_emit+0x33a/0x910 [ 33.517479] vprintk_default+0x28/0x30 [ 33.517483] vprintk_func+0x7a/0x117 [ 33.517486] printk+0xa7/0xcf [ 33.517490] load_umh+0x51/0xbd [ 33.517494] do_one_initcall+0x127/0x838 [ 33.517498] kernel_init_freeable+0x4bb/0x5ae [ 33.517502] kernel_init+0x11/0x1b3 [ 33.517519] ret_from_fork+0x3a/0x50 [ 33.517521] [ 33.517524] -> #0 ((console_sem).lock){-...}: [ 33.517538] lock_acquire+0x1e4/0x4f0 [ 33.517543] _raw_spin_lock_irqsave+0x96/0xc0 [ 33.517546] down_trylock+0x13/0x70 [ 33.517551] __down_trylock_console_sem+0xae/0x200 [ 33.517555] console_trylock+0x15/0xa0 [ 33.517559] vprintk_emit+0x31f/0x910 [ 33.517563] vprintk_default+0x28/0x30 [ 33.517566] vprintk_func+0x7a/0x117 [ 33.517570] printk+0xa7/0xcf [ 33.517574] kasan_report+0x9e/0x110 [ 33.517578] __asan_report_load8_noabort+0x14/0x20 [ 33.517582] __schedule+0xf54/0x1df0 [ 33.517586] preempt_schedule_common+0x22/0x60 [ 33.517590] _cond_resched+0x1d/0x30 [ 33.517594] wait_for_completion+0xa5/0x8d0 [ 33.517598] __synchronize_srcu+0x189/0x240 [ 33.517603] synchronize_srcu+0x335/0x56f [ 33.517608] kvm_page_track_unregister_notifier+0x17d/0x250 [ 33.517612] kvm_mmu_uninit_vm+0x1c/0x20 [ 33.517616] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 33.517620] kvm_put_kvm+0x73f/0x1060 [ 33.517624] kvm_vm_release+0x42/0x50 [ 33.517627] __fput+0x38a/0xa40 [ 33.517631] ____fput+0x15/0x20 [ 33.517635] task_work_run+0x1e8/0x2a0 [ 33.517638] do_exit+0x1ae4/0x26e0 [ 33.517642] do_group_exit+0x177/0x440 [ 33.517646] __x64_sys_exit_group+0x3e/0x50 [ 33.517650] do_syscall_64+0x1b9/0x820 [ 33.517655] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.517657] [ 33.517662] other info that might help us debug this: [ 33.517664] [ 33.517667] Chain exists of: [ 33.517669] (console_sem).lock --> &rq->lock --> report_lock [ 33.517688] [ 33.517692] Possible unsafe locking scenario: [ 33.517694] [ 33.517698] CPU0 CPU1 [ 33.517702] ---- ---- [ 33.517705] lock(report_lock); [ 33.517714] lock(&rq->lock); [ 33.517723] lock(report_lock); [ 33.517731] lock((console_sem).lock); [ 33.517739] [ 33.517742] *** DEADLOCK *** [ 33.517745] [ 33.517749] 2 locks held by syz-executor979/4664: [ 33.517751] #0: 0000000051567496 (&rq->lock){-.-.}, at: __schedule+0x24d/0x1df0 [ 33.517768] #1: 00000000d78b6704 (report_lock){....}, at: kasan_report+0x8e/0x110 [ 33.517785] [ 33.517788] stack backtrace: [ 33.517794] CPU: 0 PID: 4664 Comm: syz-executor979 Not tainted 4.19.0-rc1+ #217 [ 33.517801] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.517805] Call Trace: [ 33.517808] dump_stack+0x1c9/0x2b4 [ 33.517813] ? dump_stack_print_info.cold.2+0x52/0x52 [ 33.517817] ? vprintk_func+0x100/0x117 [ 33.517822] print_circular_bug.isra.34.cold.55+0x1bd/0x27d [ 33.517825] ? save_trace+0xe0/0x290 [ 33.517829] __lock_acquire+0x3449/0x5020 [ 33.517834] ? mark_held_locks+0x160/0x160 [ 33.517838] ? mark_held_locks+0x160/0x160 [ 33.517842] ? rcu_cleanup_dead_rnp+0x200/0x200 [ 33.517846] ? is_bpf_text_address+0xd7/0x170 [ 33.517850] ? kernel_text_address+0x79/0xf0 [ 33.517854] ? __kernel_text_address+0xd/0x40 [ 33.517858] ? __save_stack_trace+0x8d/0xf0 [ 33.517863] ? add_lock_to_list.isra.27+0x1ec/0x4b0 [ 33.517867] ? save_trace+0x290/0x290 [ 33.517871] ? save_stack_trace+0x1a/0x20 [ 33.517875] ? save_trace+0xe0/0x290 [ 33.517878] ? graph_lock+0x170/0x170 [ 33.517883] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 33.517887] lock_acquire+0x1e4/0x4f0 [ 33.517891] ? down_trylock+0x13/0x70 [ 33.517895] ? lock_release+0x9f0/0x9f0 [ 33.517899] ? trace_hardirqs_off+0xb8/0x2b0 [ 33.517903] ? trace_hardirqs_on+0x2c0/0x2c0 [ 33.517907] ? trace_hardirqs_off+0xb8/0x2b0 [ 33.517911] ? log_store+0x34f/0x4c0 [ 33.517915] ? vprintk_emit+0x31f/0x910 [ 33.517919] _raw_spin_lock_irqsave+0x96/0xc0 [ 33.517923] ? down_trylock+0x13/0x70 [ 33.517926] down_trylock+0x13/0x70 [ 33.517931] __down_trylock_console_sem+0xae/0x200 [ 33.517935] console_trylock+0x15/0xa0 [ 33.517939] vprintk_emit+0x31f/0x910 [ 33.517942] ? wake_up_klogd+0x110/0x110 [ 33.517947] ? run_rebalance_domains+0x4c0/0x4c0 [ 33.517951] ? kasan_check_read+0x11/0x20 [ 33.517955] ? rcu_is_watching+0x8c/0x150 [ 33.517959] ? rcu_pm_notify+0xc0/0xc0 [ 33.517963] ? lock_acquire+0x1e4/0x4f0 [ 33.517967] ? kasan_report+0x8e/0x110 [ 33.517970] ? __schedule+0xf54/0x1df0 [ 33.517974] vprintk_default+0x28/0x30 [ 33.517978] vprintk_func+0x7a/0x117 [ 33.517981] printk+0xa7/0xcf [ 33.517986] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 33.517990] ? kasan_check_write+0x14/0x20 [ 33.517994] ? do_raw_spin_lock+0xc1/0x200 [ 33.517998] ? do_raw_spin_lock+0xc1/0x200 [ 33.518002] kasan_report+0x9e/0x110 [ 33.518006] __asan_report_load8_noabort+0x14/0x20 [ 33.518010] __schedule+0xf54/0x1df0 [ 33.518014] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 33.518019] ? __sched_text_start+0x8/0x8 [ 33.518023] ? __call_srcu+0x7e7/0x1040 [ 33.518027] ? check_same_owner+0x340/0x340 [ 33.518031] ? mark_held_locks+0x160/0x160 [ 33.518035] ? find_held_lock+0x36/0x1c0 [ 33.518039] preempt_schedule_common+0x22/0x60 [ 33.518043] _cond_resched+0x1d/0x30 [ 33.518047] wait_for_completion+0xa5/0x8d0 [ 33.518052] ? wait_for_completion_interruptible+0x950/0x950 [ 33.518057] ? __lockdep_init_map+0x105/0x590 [ 33.518061] ? __init_waitqueue_head+0x9e/0x150 [ 33.518065] ? init_wait_entry+0x1c0/0x1c0 [ 33.518069] __synchronize_srcu+0x189/0x240 [ 33.518073] ? call_srcu+0x10/0x10 [ 33.518077] ? rcu_unexpedite_gp+0x20/0x20 [ 33.518081] synchronize_srcu+0x335/0x56f [ 33.518085] ? lock_downgrade+0x8f0/0x8f0 [ 33.518090] ? synchronize_srcu_expedited+0x20/0x20 [ 33.518094] ? kasan_check_read+0x11/0x20 [ 33.518098] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 33.518102] ? kasan_check_write+0x14/0x20 [ 33.518106] ? do_raw_spin_lock+0xc1/0x200 [ 33.518111] kvm_page_track_unregister_notifier+0x17d/0x250 [ 33.518116] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 33.518119] ? kvfree+0x61/0x70 [ 33.518124] ? rcu_read_lock_sched_held+0x108/0x120 [ 33.518128] kvm_mmu_uninit_vm+0x1c/0x20 [ 33.518132] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 33.518136] ? kvm_arch_sync_events+0x30/0x30 [ 33.518141] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 33.518145] ? mmu_notifier_unregister+0x474/0x600 [ 33.518149] ? trace_hardirqs_on+0x2c0/0x2c0 [ 33.518153] ? kfree+0x111/0x210 [ 33.518157] ? __mmu_notifier_register+0x30/0x30 [ 33.518161] ? __free_pages+0x10a/0x190 [ 33.518165] ? free_unref_page+0x930/0x930 [ 33.518169] kvm_put_kvm+0x73f/0x1060 [ 33.518173] ? kvm_write_guest_cached+0x40/0x40 [ 33.518178] ? _raw_spin_unlock_irq+0x27/0x70 [ 33.518182] ? _raw_spin_unlock_irq+0x27/0x70 [ 33.518186] ? lockdep_hardirqs_on+0x421/0x5c0 [ 33.518190] ? kasan_check_write+0x14/0x20 [ 33.518194] ? do_raw_spin_lock+0xc1/0x200 [ 33.518198] ? kvm_irqfd_release+0xdd/0x120 [ 33.518202] ? kvm_irqfd_release+0xdd/0x120 [ 33.518206] ? kvm_put_kvm+0x1060/0x1060 [ 33.518210] kvm_vm_release+0x42/0x50 [ 33.518214] __fput+0x38a/0xa40 [ 33.518218] ? __alloc_file+0x400/0x400 [ 33.518222] ? check_same_owner+0x340/0x340 [ 33.518226] ? kasan_check_write+0x14/0x20 [ 33.518230] ? do_raw_spin_lock+0xc1/0x200 [ 33.518233] ____fput+0x15/0x20 [ 33.518237] task_work_run+0x1e8/0x2a0 [ 33.518241] ? task_work_cancel+0x240/0x240 [ 33.518246] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 33.518250] ? switch_task_namespaces+0xa2/0xd0 [ 33.518254] do_exit+0x1ae4/0x26e0 [ 33.518258] ? mm_update_next_owner+0x9a0/0x9a0 [ 33.518262] ? kvm_vcpu_ioctl+0x2b5/0x1280 [ 33.518267] ? rcu_read_lock_sched_held+0x108/0x120 [ 33.518270] ? kfree+0x1d7/0x210 [ 33.518274] ? kvm_vcpu_ioctl+0x2ba/0x1280 [ 33.518279] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 33.518283] ? _raw_spin_unlock_irq+0x27/0x70 [ 33.518286] ? [ 33.518293] Lost 62 message(s)! [ 34.590018] Shutting down cpus with NMI [ 35.648582] Dumping ftrace buffer: [ 35.652105] (ftrace buffer empty) [ 35.655790] Kernel Offset: disabled [ 35.659398] Rebooting in 86400 seconds..