[....] Starting OpenBSD Secure Shell server: sshd[ 26.470733] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 28.372543] random: sshd: uninitialized urandom read (32 bytes read) [ 28.695780] sshd (5352) used greatest stack depth: 16584 bytes left [ 28.718642] random: sshd: uninitialized urandom read (32 bytes read) [ 29.338911] random: sshd: uninitialized urandom read (32 bytes read) [ 29.561833] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.37' (ECDSA) to the list of known hosts. [ 35.259150] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 35.384756] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html for details. [ 35.411132] ================================================================== [ 35.421203] BUG: KASAN: use-after-free in __schedule+0xfc3/0x1ed0 [ 35.427433] Read of size 8 at addr ffff8801c9570058 by task syz-executor456/5368 [ 35.434965] [ 35.436598] CPU: 1 PID: 5368 Comm: syz-executor456 Not tainted 4.19.0-rc4+ #248 [ 35.444037] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.453389] Call Trace: [ 35.455978] dump_stack+0x1c4/0x2b4 [ 35.459617] ? dump_stack_print_info.cold.2+0x52/0x52 [ 35.464813] ? printk+0xa7/0xcf [ 35.468112] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 35.472875] print_address_description.cold.8+0x9/0x1ff [ 35.478251] kasan_report.cold.9+0x242/0x309 [ 35.482664] ? __schedule+0xfc3/0x1ed0 [ 35.486553] __asan_report_load8_noabort+0x14/0x20 [ 35.491488] __schedule+0xfc3/0x1ed0 [ 35.495234] ? __sched_text_start+0x8/0x8 [ 35.499399] ? __lock_is_held+0xb5/0x140 [ 35.503465] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 35.508572] ? find_held_lock+0x36/0x1c0 [ 35.512638] ? __call_srcu+0x7f9/0x1070 [ 35.516615] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 35.521730] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 35.526836] ? lockdep_hardirqs_on+0x421/0x5c0 [ 35.531432] ? preempt_schedule+0x4d/0x60 [ 35.535608] preempt_schedule_common+0x1f/0xd0 [ 35.540195] preempt_schedule+0x4d/0x60 [ 35.544179] ___preempt_schedule+0x16/0x18 [ 35.548439] _raw_spin_unlock_irqrestore+0xbb/0xd0 [ 35.553382] __call_srcu+0x7f9/0x1070 [ 35.557187] ? _raw_spin_unlock_irqrestore+0x6d/0xd0 [ 35.562296] ? srcu_offline_cpu+0x120/0x120 [ 35.566647] ? debug_object_free+0x690/0x690 [ 35.571058] ? mark_held_locks+0x130/0x130 [ 35.575333] ? kvm_arch_destroy_vm+0x414/0x7c0 [ 35.579927] ? lock_release+0x970/0x970 [ 35.583911] ? arch_local_save_flags+0x40/0x40 [ 35.588522] ? depot_save_stack+0x292/0x470 [ 35.592852] ? __lockdep_init_map+0x105/0x590 [ 35.597353] ? __init_waitqueue_head+0x9e/0x150 [ 35.602051] ? init_wait_entry+0x1c0/0x1c0 [ 35.606298] __synchronize_srcu+0x17b/0x230 [ 35.610627] ? call_srcu+0x10/0x10 [ 35.614171] ? rcu_unexpedite_gp+0x20/0x20 [ 35.618426] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 35.624070] ? check_preemption_disabled+0x48/0x200 [ 35.629093] synchronize_srcu+0x356/0x5ab [ 35.633241] ? lock_downgrade+0x900/0x900 [ 35.637399] ? synchronize_srcu_expedited+0x20/0x20 [ 35.642430] ? kasan_check_read+0x11/0x20 [ 35.646581] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 35.651346] ? kasan_check_write+0x14/0x20 [ 35.655595] ? do_raw_spin_lock+0xc1/0x200 [ 35.659842] kvm_page_track_unregister_notifier+0x17d/0x250 [ 35.665571] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 35.671028] ? kvfree+0x61/0x70 [ 35.674314] ? rcu_read_lock_sched_held+0x108/0x120 [ 35.679335] kvm_mmu_uninit_vm+0x1c/0x20 [ 35.683432] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 35.687845] ? kvm_arch_sync_events+0x30/0x30 [ 35.692344] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 35.697889] ? mmu_notifier_unregister+0x474/0x600 [ 35.702831] ? kfree+0x107/0x230 [ 35.706204] ? __mmu_notifier_register+0x30/0x30 [ 35.710964] ? __free_pages+0x10a/0x190 [ 35.714939] ? free_unref_page+0x960/0x960 [ 35.719191] kvm_put_kvm+0x6c8/0xff0 [ 35.722920] ? kvm_write_guest_cached+0x40/0x40 [ 35.727596] ? kvm_irqfd_release+0xd1/0x120 [ 35.731928] ? _raw_spin_unlock_irq+0x27/0x80 [ 35.736869] ? _raw_spin_unlock_irq+0x27/0x80 [ 35.741396] ? kasan_check_write+0x14/0x20 [ 35.745666] ? do_raw_spin_lock+0xc1/0x200 [ 35.749932] ? kvm_irqfd_release+0xdd/0x120 [ 35.754389] ? kvm_irqfd_release+0xdd/0x120 [ 35.758805] ? kvm_put_kvm+0xff0/0xff0 [ 35.762691] kvm_vm_release+0x42/0x50 [ 35.766511] __fput+0x385/0xa30 [ 35.769793] ? get_max_files+0x20/0x20 [ 35.773686] ? trace_hardirqs_on+0xbd/0x310 [ 35.778012] ? ___might_sleep+0x1ed/0x300 [ 35.782158] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 35.787612] ? arch_local_save_flags+0x40/0x40 [ 35.792220] ? kasan_check_write+0x14/0x20 [ 35.796462] ? do_raw_spin_lock+0xc1/0x200 [ 35.800703] ____fput+0x15/0x20 [ 35.803984] task_work_run+0x1e8/0x2a0 [ 35.807874] ? task_work_cancel+0x240/0x240 [ 35.812207] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 35.817745] ? switch_task_namespaces+0x9d/0xd0 [ 35.822423] do_exit+0x1ad7/0x2610 [ 35.825976] ? mm_update_next_owner+0x990/0x990 [ 35.830656] ? kvm_vcpu_ioctl+0x29c/0x1150 [ 35.834898] ? rcu_read_lock_sched_held+0x108/0x120 [ 35.839923] ? kfree+0x1fa/0x230 [ 35.843292] ? kvm_vcpu_ioctl+0x2a1/0x1150 [ 35.847534] ? kvm_vcpu_block+0x1030/0x1030 [ 35.851862] ? is_bpf_text_address+0xd3/0x170 [ 35.856378] ? kernel_text_address+0x79/0xf0 [ 35.860906] ? __kernel_text_address+0xd/0x40 [ 35.865455] ? unwind_get_return_address+0x61/0xa0 [ 35.870395] ? __save_stack_trace+0x8d/0xf0 [ 35.874725] ? save_stack+0xa9/0xd0 [ 35.878355] ? save_stack+0x43/0xd0 [ 35.881995] ? __kasan_slab_free+0x102/0x150 [ 35.886409] ? kasan_slab_free+0xe/0x10 [ 35.890398] ? putname+0xf2/0x130 [ 35.893858] ? __x64_sys_openat+0x9d/0x100 [ 35.898100] ? do_syscall_64+0x1b9/0x820 [ 35.902289] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.907662] ? trace_hardirqs_off+0xb8/0x310 [ 35.912074] ? kasan_check_read+0x11/0x20 [ 35.916226] ? do_raw_spin_unlock+0xa7/0x2f0 [ 35.920634] ? trace_hardirqs_on+0x310/0x310 [ 35.925063] ? __bpf_trace_initcall_finish+0x2a/0x30 [ 35.930168] ? trace_hardirqs_off+0xb8/0x310 [ 35.934579] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.940122] ? check_preemption_disabled+0x48/0x200 [ 35.945148] ? check_preemption_disabled+0x48/0x200 [ 35.950178] ? kvm_vcpu_block+0x1030/0x1030 [ 35.954510] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.960052] ? do_vfs_ioctl+0x201/0x1720 [ 35.964116] ? rcu_dynticks_curr_cpu_in_eqs+0x9f/0x160 [ 35.969403] ? ioctl_preallocate+0x300/0x300 [ 35.973934] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.979495] ? __fget_light+0x2e9/0x430 [ 35.983471] ? fget_raw+0x20/0x20 [ 35.986927] ? putname+0xf2/0x130 [ 35.990391] ? rcu_read_lock_sched_held+0x108/0x120 [ 35.995416] ? kmem_cache_free+0x24f/0x290 [ 35.999654] ? putname+0xf7/0x130 [ 36.003114] do_group_exit+0x177/0x440 [ 36.007013] ? trace_hardirqs_on+0xbd/0x310 [ 36.011337] ? __ia32_sys_exit+0x50/0x50 [ 36.015409] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 36.020862] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 36.026444] ? ksys_ioctl+0x81/0xd0 [ 36.030081] __x64_sys_exit_group+0x3e/0x50 [ 36.034435] do_syscall_64+0x1b9/0x820 [ 36.038328] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 36.043700] ? syscall_return_slowpath+0x5e0/0x5e0 [ 36.048628] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 36.053487] ? trace_hardirqs_on_caller+0x310/0x310 [ 36.058519] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 36.063552] ? prepare_exit_to_usermode+0x291/0x3b0 [ 36.068588] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 36.073441] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.078817] RIP: 0033:0x43ef08 [ 36.082015] Code: Bad RIP value. [ 36.085385] RSP: 002b:00007ffca4780098 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 36.093098] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ef08 [ 36.100371] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 36.107649] RBP: 00000000004be7c8 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 36.114925] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 36.122197] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 36.129477] [ 36.131105] Allocated by task 5368: [ 36.134767] save_stack+0x43/0xd0 [ 36.138242] kasan_kmalloc+0xc7/0xe0 [ 36.141952] kasan_slab_alloc+0x12/0x20 [ 36.145935] kmem_cache_alloc+0x12e/0x730 [ 36.150089] vmx_create_vcpu+0xcf/0x25e0 [ 36.154154] kvm_arch_vcpu_create+0xe5/0x220 [ 36.158574] kvm_vm_ioctl+0x470/0x1d40 [ 36.162464] do_vfs_ioctl+0x1de/0x1720 [ 36.166348] ksys_ioctl+0xa9/0xd0 [ 36.169816] __x64_sys_ioctl+0x73/0xb0 [ 36.173705] do_syscall_64+0x1b9/0x820 [ 36.177594] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.182774] [ 36.184400] Freed by task 5368: [ 36.187678] save_stack+0x43/0xd0 [ 36.191127] __kasan_slab_free+0x102/0x150 [ 36.195382] kasan_slab_free+0xe/0x10 [ 36.199186] kmem_cache_free+0x83/0x290 [ 36.203160] vmx_free_vcpu+0x26b/0x300 [ 36.207046] kvm_arch_destroy_vm+0x365/0x7c0 [ 36.211583] kvm_put_kvm+0x6c8/0xff0 [ 36.215295] kvm_vm_release+0x42/0x50 [ 36.219090] __fput+0x385/0xa30 [ 36.222363] ____fput+0x15/0x20 [ 36.225655] task_work_run+0x1e8/0x2a0 [ 36.229548] do_exit+0x1ad7/0x2610 [ 36.233084] do_group_exit+0x177/0x440 [ 36.237101] __x64_sys_exit_group+0x3e/0x50 [ 36.241428] do_syscall_64+0x1b9/0x820 [ 36.245316] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.250497] [ 36.252130] The buggy address belongs to the object at ffff8801c9570040 [ 36.252130] which belongs to the cache kvm_vcpu of size 23872 [ 36.264702] The buggy address is located 24 bytes inside of [ 36.264702] 23872-byte region [ffff8801c9570040, ffff8801c9575d80) [ 36.276662] The buggy address belongs to the page: [ 36.281594] page:ffffea0007255c00 count:1 mapcount:0 mapping:ffff8801d5b406c0 index:0x0 compound_mapcount: 0 [ 36.291571] flags: 0x2fffc0000008100(slab|head) [ 36.296245] raw: 02fffc0000008100 ffff8801d5b47a48 ffff8801d5b47a48 ffff8801d5b406c0 [ 36.304127] raw: 0000000000000000 ffff8801c9570040 0000000100000001 0000000000000000 [ 36.311998] page dumped because: kasan: bad access detected [ 36.317700] [ 36.319318] Memory state around the buggy address: [ 36.324273] ffff8801c956ff00: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc [ 36.331769] ffff8801c956ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.339130] >ffff8801c9570000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 36.346485] ^ [ 36.352742] ffff8801c9570080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.360120] ffff8801c9570100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.367484] ================================================================== [ 36.374845] Kernel panic - not syncing: panic_on_warn set ... [ 36.374845] [ 36.382217] CPU: 1 PID: 5368 Comm: syz-executor456 Tainted: G B 4.19.0-rc4+ #248 [ 36.391043] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.400392] Call Trace: [ 36.402988] dump_stack+0x1c4/0x2b4 [ 36.406619] ? dump_stack_print_info.cold.2+0x52/0x52 [ 36.411813] ? lock_downgrade+0x900/0x900 [ 36.415965] panic+0x238/0x4e7 [ 36.419158] ? add_taint.cold.5+0x16/0x16 [ 36.423320] ? print_shadow_for_address+0xb6/0x116 [ 36.428256] ? trace_hardirqs_off+0xaf/0x310 [ 36.432698] kasan_end_report+0x47/0x4f [ 36.436780] kasan_report.cold.9+0x76/0x309 [ 36.441103] ? __schedule+0xfc3/0x1ed0 [ 36.444991] __asan_report_load8_noabort+0x14/0x20 [ 36.449926] __schedule+0xfc3/0x1ed0 [ 36.453645] ? __sched_text_start+0x8/0x8 [ 36.457827] ? __lock_is_held+0xb5/0x140 [ 36.461888] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 36.467550] ? find_held_lock+0x36/0x1c0 [ 36.471618] ? __call_srcu+0x7f9/0x1070 [ 36.475591] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 36.480703] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 36.485807] ? lockdep_hardirqs_on+0x421/0x5c0 [ 36.490405] ? preempt_schedule+0x4d/0x60 [ 36.494562] preempt_schedule_common+0x1f/0xd0 [ 36.499148] preempt_schedule+0x4d/0x60 [ 36.503140] ___preempt_schedule+0x16/0x18 [ 36.507387] _raw_spin_unlock_irqrestore+0xbb/0xd0 [ 36.512319] __call_srcu+0x7f9/0x1070 [ 36.516118] ? _raw_spin_unlock_irqrestore+0x6d/0xd0 [ 36.521260] ? srcu_offline_cpu+0x120/0x120 [ 36.525773] ? debug_object_free+0x690/0x690 [ 36.530570] ? mark_held_locks+0x130/0x130 [ 36.534831] ? kvm_arch_destroy_vm+0x414/0x7c0 [ 36.539439] ? lock_release+0x970/0x970 [ 36.543437] ? arch_local_save_flags+0x40/0x40 [ 36.548025] ? depot_save_stack+0x292/0x470 [ 36.552387] ? __lockdep_init_map+0x105/0x590 [ 36.556897] ? __init_waitqueue_head+0x9e/0x150 [ 36.561568] ? init_wait_entry+0x1c0/0x1c0 [ 36.565836] __synchronize_srcu+0x17b/0x230 [ 36.570161] ? call_srcu+0x10/0x10 [ 36.573725] ? rcu_unexpedite_gp+0x20/0x20 [ 36.577965] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 36.584110] ? check_preemption_disabled+0x48/0x200 [ 36.589132] synchronize_srcu+0x356/0x5ab [ 36.593282] ? lock_downgrade+0x900/0x900 [ 36.597438] ? synchronize_srcu_expedited+0x20/0x20 [ 36.602463] ? kasan_check_read+0x11/0x20 [ 36.606642] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 36.611228] ? kasan_check_write+0x14/0x20 [ 36.615476] ? do_raw_spin_lock+0xc1/0x200 [ 36.619717] kvm_page_track_unregister_notifier+0x17d/0x250 [ 36.625440] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 36.631105] ? kvfree+0x61/0x70 [ 36.634395] ? rcu_read_lock_sched_held+0x108/0x120 [ 36.639433] kvm_mmu_uninit_vm+0x1c/0x20 [ 36.643496] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 36.647917] ? kvm_arch_sync_events+0x30/0x30 [ 36.652614] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 36.658196] ? mmu_notifier_unregister+0x474/0x600 [ 36.663682] ? kfree+0x107/0x230 [ 36.667164] ? __mmu_notifier_register+0x30/0x30 [ 36.672524] ? __free_pages+0x10a/0x190 [ 36.676504] ? free_unref_page+0x960/0x960 [ 36.680763] kvm_put_kvm+0x6c8/0xff0 [ 36.684485] ? kvm_write_guest_cached+0x40/0x40 [ 36.689166] ? kvm_irqfd_release+0xd1/0x120 [ 36.693495] ? _raw_spin_unlock_irq+0x27/0x80 [ 36.697992] ? _raw_spin_unlock_irq+0x27/0x80 [ 36.702522] ? kasan_check_write+0x14/0x20 [ 36.706759] ? do_raw_spin_lock+0xc1/0x200 [ 36.711150] ? kvm_irqfd_release+0xdd/0x120 [ 36.716061] ? kvm_irqfd_release+0xdd/0x120 [ 36.720395] ? kvm_put_kvm+0xff0/0xff0 [ 36.724285] kvm_vm_release+0x42/0x50 [ 36.728087] __fput+0x385/0xa30 [ 36.731379] ? get_max_files+0x20/0x20 [ 36.735742] ? trace_hardirqs_on+0xbd/0x310 [ 36.740071] ? ___might_sleep+0x1ed/0x300 [ 36.744220] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 36.749674] ? arch_local_save_flags+0x40/0x40 [ 36.754271] ? kasan_check_write+0x14/0x20 [ 36.758511] ? do_raw_spin_lock+0xc1/0x200 [ 36.763494] ____fput+0x15/0x20 [ 36.766783] task_work_run+0x1e8/0x2a0 [ 36.770682] ? task_work_cancel+0x240/0x240 [ 36.775012] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 36.780561] ? switch_task_namespaces+0x9d/0xd0 [ 36.785254] do_exit+0x1ad7/0x2610 [ 36.788800] ? mm_update_next_owner+0x990/0x990 [ 36.793497] ? kvm_vcpu_ioctl+0x29c/0x1150 [ 36.797734] ? rcu_read_lock_sched_held+0x108/0x120 [ 36.802756] ? kfree+0x1fa/0x230 [ 36.806133] ? kvm_vcpu_ioctl+0x2a1/0x1150 [ 36.810377] ? kvm_vcpu_block+0x1030/0x1030 [ 36.814709] ? is_bpf_text_address+0xd3/0x170 [ 36.819203] ? kernel_text_address+0x79/0xf0 [ 36.823611] ? __kernel_text_address+0xd/0x40 [ 36.828132] ? unwind_get_return_address+0x61/0xa0 [ 36.833067] ? __save_stack_trace+0x8d/0xf0 [ 36.837402] ? save_stack+0xa9/0xd0 [ 36.841027] ? save_stack+0x43/0xd0 [ 36.844652] ? __kasan_slab_free+0x102/0x150 [ 36.849056] ? kasan_slab_free+0xe/0x10 [ 36.853049] ? putname+0xf2/0x130 [ 36.856507] ? __x64_sys_openat+0x9d/0x100 [ 36.860747] ? do_syscall_64+0x1b9/0x820 [ 36.864812] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.870191] ? trace_hardirqs_off+0xb8/0x310 [ 36.874605] ? kasan_check_read+0x11/0x20 [ 36.878766] ? do_raw_spin_unlock+0xa7/0x2f0 [ 36.883174] ? trace_hardirqs_on+0x310/0x310 [ 36.887588] ? __bpf_trace_initcall_finish+0x2a/0x30 [ 36.892705] ? trace_hardirqs_off+0xb8/0x310 [ 36.897115] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 36.902654] ? check_preemption_disabled+0x48/0x200 [ 36.907666] ? check_preemption_disabled+0x48/0x200 [ 36.912689] ? kvm_vcpu_block+0x1030/0x1030 [ 36.917011] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 36.922550] ? do_vfs_ioctl+0x201/0x1720 [ 36.926618] ? rcu_dynticks_curr_cpu_in_eqs+0x9f/0x160 [ 36.931903] ? ioctl_preallocate+0x300/0x300 [ 36.936311] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 36.941857] ? __fget_light+0x2e9/0x430 [ 36.945835] ? fget_raw+0x20/0x20 [ 36.949285] ? putname+0xf2/0x130 [ 36.952740] ? rcu_read_lock_sched_held+0x108/0x120 [ 36.957759] ? kmem_cache_free+0x24f/0x290 [ 36.961995] ? putname+0xf7/0x130 [ 36.965462] do_group_exit+0x177/0x440 [ 36.969354] ? trace_hardirqs_on+0xbd/0x310 [ 36.973684] ? __ia32_sys_exit+0x50/0x50 [ 36.977748] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 36.983200] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 36.988757] ? ksys_ioctl+0x81/0xd0 [ 36.992395] __x64_sys_exit_group+0x3e/0x50 [ 36.996741] do_syscall_64+0x1b9/0x820 [ 37.000632] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 37.006311] ? syscall_return_slowpath+0x5e0/0x5e0 [ 37.011414] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 37.016277] ? trace_hardirqs_on_caller+0x310/0x310 [ 37.021294] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 37.026328] ? prepare_exit_to_usermode+0x291/0x3b0 [ 37.031348] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 37.036223] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.041429] RIP: 0033:0x43ef08 [ 37.044626] Code: Bad RIP value. [ 37.047986] RSP: 002b:00007ffca4780098 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 37.055699] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ef08 [ 37.062968] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 37.070234] RBP: 00000000004be7c8 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 37.077505] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 37.084778] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 37.092329] [ 37.092335] ====================================================== [ 37.092341] WARNING: possible circular locking dependency detected [ 37.092345] 4.19.0-rc4+ #248 Not tainted [ 37.092351] ------------------------------------------------------ [ 37.092356] syz-executor456/5368 is trying to acquire lock: [ 37.092360] 000000008c8a59b0 ((console_sem).lock){-...}, at: down_trylock+0x13/0x70 [ 37.092386] [ 37.092390] but task is already holding lock: [ 37.092394] 000000004b5a4e49 (report_lock){....}, at: kasan_report+0x8b/0x110 [ 37.092410] [ 37.092415] which lock already depends on the new lock. [ 37.092418] [ 37.092421] [ 37.092426] the existing dependency chain (in reverse order) is: [ 37.092429] [ 37.092431] -> #3 (report_lock){....}: [ 37.092447] _raw_spin_lock_irqsave+0x99/0xd0 [ 37.092451] kasan_report+0x8b/0x110 [ 37.092456] __asan_report_load8_noabort+0x14/0x20 [ 37.092461] __schedule+0xfc3/0x1ed0 [ 37.092465] preempt_schedule_common+0x1f/0xd0 [ 37.092470] preempt_schedule+0x4d/0x60 [ 37.092474] ___preempt_schedule+0x16/0x18 [ 37.092479] _raw_spin_unlock_irqrestore+0xbb/0xd0 [ 37.092483] __call_srcu+0x7f9/0x1070 [ 37.092488] __synchronize_srcu+0x17b/0x230 [ 37.092492] synchronize_srcu+0x356/0x5ab [ 37.092497] kvm_page_track_unregister_notifier+0x17d/0x250 [ 37.092502] kvm_mmu_uninit_vm+0x1c/0x20 [ 37.092506] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 37.092511] kvm_put_kvm+0x6c8/0xff0 [ 37.092515] kvm_vm_release+0x42/0x50 [ 37.092519] __fput+0x385/0xa30 [ 37.092523] ____fput+0x15/0x20 [ 37.092527] task_work_run+0x1e8/0x2a0 [ 37.092531] do_exit+0x1ad7/0x2610 [ 37.092535] do_group_exit+0x177/0x440 [ 37.092540] __x64_sys_exit_group+0x3e/0x50 [ 37.092544] do_syscall_64+0x1b9/0x820 [ 37.092549] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.092551] [ 37.092554] -> #2 (&rq->lock){-.-.}: [ 37.092569] _raw_spin_lock+0x2d/0x40 [ 37.092574] task_fork_fair+0xb0/0x6d0 [ 37.092578] sched_fork+0x443/0xba0 [ 37.092582] copy_process+0x2586/0x8780 [ 37.092586] _do_fork+0x1cb/0x11d0 [ 37.092590] kernel_thread+0x34/0x40 [ 37.092594] rest_init+0x22/0xe5 [ 37.092598] start_kernel+0x8f4/0x92f [ 37.092603] x86_64_start_reservations+0x29/0x2b [ 37.092607] x86_64_start_kernel+0x76/0x79 [ 37.092612] secondary_startup_64+0xa4/0xb0 [ 37.092614] [ 37.092617] -> #1 (&p->pi_lock){-.-.}: [ 37.092633] _raw_spin_lock_irqsave+0x99/0xd0 [ 37.092637] try_to_wake_up+0xd2/0x12f0 [ 37.092641] wake_up_process+0x10/0x20 [ 37.092645] __up.isra.1+0x1c0/0x2a0 [ 37.092649] up+0x13c/0x1c0 [ 37.092653] __up_console_sem+0xbe/0x1b0 [ 37.092658] console_unlock+0x814/0x1160 [ 37.092662] vprintk_emit+0x33d/0x930 [ 37.092666] vprintk_default+0x28/0x30 [ 37.092670] vprintk_func+0x7e/0x181 [ 37.092674] printk+0xa7/0xcf [ 37.092678] load_umh+0x51/0xbd [ 37.092682] do_one_initcall+0x145/0x957 [ 37.092687] kernel_init_freeable+0x4bb/0x5ae [ 37.092691] kernel_init+0x11/0x1b2 [ 37.092695] ret_from_fork+0x3a/0x50 [ 37.092697] [ 37.092700] -> #0 ((console_sem).lock){-...}: [ 37.092716] lock_acquire+0x1ed/0x520 [ 37.092721] _raw_spin_lock_irqsave+0x99/0xd0 [ 37.092725] down_trylock+0x13/0x70 [ 37.092729] __down_trylock_console_sem+0xae/0x200 [ 37.092734] console_trylock+0x15/0xa0 [ 37.092738] vprintk_emit+0x322/0x930 [ 37.092742] vprintk_default+0x28/0x30 [ 37.092746] vprintk_func+0x7e/0x181 [ 37.092750] printk+0xa7/0xcf [ 37.092754] kasan_report+0x9b/0x110 [ 37.092759] __asan_report_load8_noabort+0x14/0x20 [ 37.092763] __schedule+0xfc3/0x1ed0 [ 37.092768] preempt_schedule_common+0x1f/0xd0 [ 37.092772] preempt_schedule+0x4d/0x60 [ 37.092777] ___preempt_schedule+0x16/0x18 [ 37.092781] _raw_spin_unlock_irqrestore+0xbb/0xd0 [ 37.092786] __call_srcu+0x7f9/0x1070 [ 37.092790] __synchronize_srcu+0x17b/0x230 [ 37.092794] synchronize_srcu+0x356/0x5ab [ 37.092799] kvm_page_track_unregister_notifier+0x17d/0x250 [ 37.092804] kvm_mmu_uninit_vm+0x1c/0x20 [ 37.092808] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 37.092813] kvm_put_kvm+0x6c8/0xff0 [ 37.092817] kvm_vm_release+0x42/0x50 [ 37.092821] __fput+0x385/0xa30 [ 37.092824] ____fput+0x15/0x20 [ 37.092829] task_work_run+0x1e8/0x2a0 [ 37.092833] do_exit+0x1ad7/0x2610 [ 37.092837] do_group_exit+0x177/0x440 [ 37.092841] __x64_sys_exit_group+0x3e/0x50 [ 37.092846] do_syscall_64+0x1b9/0x820 [ 37.092851] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.092853] [ 37.092858] other info that might help us debug this: [ 37.092860] [ 37.092864] Chain exists of: [ 37.092866] (console_sem).lock --> &rq->lock --> report_lock [ 37.092886] [ 37.092897] Possible unsafe locking scenario: [ 37.092900] [ 37.092904] CPU0 CPU1 [ 37.092908] ---- ---- [ 37.092911] lock(report_lock); [ 37.092921] lock(&rq->lock); [ 37.092931] lock(report_lock); [ 37.092940] lock((console_sem).lock); [ 37.092949] [ 37.092953] *** DEADLOCK *** [ 37.092955] [ 37.092959] 2 locks held by syz-executor456/5368: [ 37.092962] #0: 0000000070d4298f (&rq->lock){-.-.}, at: __schedule+0x236/0x1ed0 [ 37.092980] #1: 000000004b5a4e49 (report_lock){....}, at: kasan_report+0x8b/0x110 [ 37.093007] [ 37.093011] stack backtrace: [ 37.093017] CPU: 1 PID: 5368 Comm: syz-executor456 Not tainted 4.19.0-rc4+ #248 [ 37.093025] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.093028] Call Trace: [ 37.093032] dump_stack+0x1c4/0x2b4 [ 37.093037] ? dump_stack_print_info.cold.2+0x52/0x52 [ 37.093042] ? vprintk_func+0x85/0x181 [ 37.093047] print_circular_bug.isra.33.cold.54+0x1bd/0x27d [ 37.093051] ? save_trace+0xe0/0x290 [ 37.093056] __lock_acquire+0x33e4/0x4ec0 [ 37.093060] ? mark_held_locks+0x130/0x130 [ 37.093064] ? mark_held_locks+0x130/0x130 [ 37.093069] ? rcu_bh_qs+0xc0/0xc0 [ 37.093073] ? unwind_dump+0x190/0x190 [ 37.093078] ? is_bpf_text_address+0xd3/0x170 [ 37.093082] ? kernel_text_address+0x79/0xf0 [ 37.093087] ? __kernel_text_address+0xd/0x40 [ 37.093091] ? __save_stack_trace+0x8d/0xf0 [ 37.093096] ? add_lock_to_list.isra.26+0x1ec/0x4b0 [ 37.093101] ? save_trace+0x290/0x290 [ 37.093105] ? save_stack_trace+0x1a/0x20 [ 37.093109] ? save_trace+0xe0/0x290 [ 37.093114] ? kasan_check_read+0x11/0x20 [ 37.093118] ? graph_lock+0x170/0x170 [ 37.093124] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 37.093128] lock_acquire+0x1ed/0x520 [ 37.093132] ? down_trylock+0x13/0x70 [ 37.093136] ? find_held_lock+0x36/0x1c0 [ 37.093141] ? lock_release+0x970/0x970 [ 37.093145] ? trace_hardirqs_off+0xb8/0x310 [ 37.093150] ? vprintk_emit+0x1d3/0x930 [ 37.093154] ? trace_hardirqs_on+0x310/0x310 [ 37.093159] ? trace_hardirqs_off+0xb8/0x310 [ 37.093163] ? log_store+0x344/0x4c0 [ 37.093168] ? vprintk_emit+0x322/0x930 [ 37.093172] _raw_spin_lock_irqsave+0x99/0xd0 [ 37.093176] ? down_trylock+0x13/0x70 [ 37.093180] down_trylock+0x13/0x70 [ 37.093185] __down_trylock_console_sem+0xae/0x200 [ 37.093190] console_trylock+0x15/0xa0 [ 37.093194] vprintk_emit+0x322/0x930 [ 37.093198] ? wake_up_klogd+0x180/0x180 [ 37.093203] ? run_rebalance_domains+0x500/0x500 [ 37.093207] ? wake_up_worker+0x117/0x190 [ 37.093212] ? find_held_lock+0x36/0x1c0 [ 37.093216] ? __queue_work+0x6be/0x1440 [ 37.093220] ? lock_acquire+0x1ed/0x520 [ 37.093225] vprintk_default+0x28/0x30 [ 37.093229] vprintk_func+0x7e/0x181 [ 37.093233] printk+0xa7/0xcf [ 37.093237] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 37.093242] ? kasan_check_write+0x14/0x20 [ 37.093246] ? do_raw_spin_lock+0xc1/0x200 [ 37.093251] ? do_raw_spin_lock+0xc1/0x200 [ 37.093255] kasan_report+0x9b/0x110 [ 37.093259] ? __schedule+0xfc3/0x1ed0 [ 37.093264] __asan_report_load8_noabort+0x14/0x20 [ 37.093268] __schedule+0xfc3/0x1ed0 [ 37.093272] ? __sched_text_start+0x8/0x8 [ 37.093277] ? __lock_is_held+0xb5/0x140 [ 37.093282] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 37.093286] ? find_held_lock+0x36/0x1c0 [ 37.093290] ? __call_srcu+0x7f9/0x1070 [ 37.093295] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 37.093300] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 37.093305] ? lockdep_hardirqs_on+0x421/0x5c0 [ 37.093309] ? preempt_schedule+0x4d/0x60 [ 37.093314] preempt_schedule_common+0x1f/0xd0 [ 37.093318] preempt_schedule+0x4d/0x60 [ 37.093323] ___preempt_schedule+0x16/0x18 [ 37.093328] _raw_spin_unlock_irqrestore+0xbb/0xd0 [ 37.093332] __call_srcu+0x7f9/0x1070 [ 37.093337] ? _raw_spin_unlock_irqrestore+0x6d/0xd0 [ 37.093341] ? srcu_offline_cpu+0x120/0x120 [ 37.093346] ? debug_object_free+0x690/0x690 [ 37.093350] ? mark_held_locks+0x130/0x130 [ 37.093355] ? kvm_arch_destroy_vm+0x414/0x7c0 [ 37.093360] ? lock_release+0x970/0x970 [ 37.093374] ? arch_local_save_flags+0x40/0x40 [ 37.093379] ? depot_save_stack+0x292/0x470 [ 37.093383] ? __lockdep_init_map+0x105/0x590 [ 37.093388] ? __init_waitqueue_head+0x9e/0x150 [ 37.093392] ? init_wait_entry+0x1c0/0x1c0 [ 37.093398] __synchronize_srcu+0x17b/0x230 [ 37.093402] ? call_srcu+0x10/0x10 [ 37.093407] ? rcu_unexpedite_gp+0x20/0x20 [ 37.093412] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 37.093417] ? check_preemption_disabled+0x48/0x200 [ 37.093421] synchronize_srcu+0x356/0x5ab [ 37.093426] ? lock_downgrade+0x900/0x900 [ 37.093431] ? synchronize_srcu_expedited+0x20/0x20 [ 37.093435] ? kasan_check_read+0x11/0x20 [ 37.093440] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 37.093445] ? kasan_check_write+0x14/0x20 [ 37.093449] ? do_raw_spin_lock+0xc1/0x200 [ 37.093455] kvm_page_track_unregister_notifier+0x17d/0x250 [ 37.093460] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 37.093464] ? kvfree+0x61/0x70 [ 37.093469] ? rcu_read_lock_sched_held+0x108/0x120 [ 37.093473] kvm_mmu_uninit_vm+0x1c/0x20 [ 37.093478] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 37.093482] ? kvm_arch_sync_events+0x30/0x30 [ 37.093487] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 37.093492] ? mmu_notifier_unregister+0x474/0x600 [ 37.093496] ? kfree+0x107/0x230 [ 37.093501] ? __mmu_notifier_register+0x30/0x30 [ 37.093506] ? __free_pages+0x10a/0x190 [ 37.093510] ? free_unref_page+0x960/0x960 [ 37.093514] kvm_put_kvm+0x6c8/0xff0 [ 37.093519] ? kvm_write_guest_cached+0x40/0x40 [ 37.093523] ? kvm_irqfd_release+0xd1/0x120 [ 37.093528] ? _raw_spin_unlock_irq+0x27/0x80 [ 37.093533] ? _raw_spin_unlock_irq+0x27/0x80 [ 37.093537] ? kasan_check_write+0x14/0x20 [ 37.093601] ? do_raw_spin_lock+0xc1/0x200 [ 37.093612] ? kvm_irqfd_release+0x [ 37.093627] Lost 82 message(s)! [ 38.261115] Shutting down cpus with NMI [ 39.326414] Kernel Offset: disabled [ 39.330039] Rebooting in 86400 seconds..