[ 34.256390] audit: type=1800 audit(1585742157.849:33): pid=7159 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 34.280519] audit: type=1800 audit(1585742157.849:34): pid=7159 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 38.921722] random: sshd: uninitialized urandom read (32 bytes read) [ 39.211723] audit: type=1400 audit(1585742162.809:35): avc: denied { map } for pid=7332 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 39.251004] random: sshd: uninitialized urandom read (32 bytes read) [ 40.004606] random: sshd: uninitialized urandom read (32 bytes read) [ 53.703008] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.1.18' (ECDSA) to the list of known hosts. [ 59.341183] random: sshd: uninitialized urandom read (32 bytes read) [ 59.464172] audit: type=1400 audit(1585742183.059:36): avc: denied { map } for pid=7344 comm="syz-executor421" path="/root/syz-executor421893437" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 59.701093] IPVS: ftp: loaded support on port[0] = 21 executing program [ 60.501882] ODEBUG: activate active (active state 1) object type: rcu_head hint: (null) [ 60.512508] ------------[ cut here ]------------ [ 60.517251] WARNING: CPU: 1 PID: 7348 at lib/debugobjects.c:287 debug_print_object.cold+0xa7/0xdb [ 60.526247] Kernel panic - not syncing: panic_on_warn set ... [ 60.526247] [ 60.533600] CPU: 1 PID: 7348 Comm: syz-executor421 Not tainted 4.14.174-syzkaller #0 [ 60.541461] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.550811] Call Trace: [ 60.553384] dump_stack+0x13e/0x194 [ 60.557008] panic+0x1f9/0x42d [ 60.560189] ? add_taint.cold+0x16/0x16 [ 60.564146] ? debug_print_object.cold+0xa7/0xdb [ 60.568900] ? debug_print_object.cold+0xa7/0xdb [ 60.573642] __warn.cold+0x2f/0x30 [ 60.577169] ? ist_end_non_atomic+0x10/0x10 [ 60.581470] ? debug_print_object.cold+0xa7/0xdb [ 60.586209] report_bug+0x20a/0x248 [ 60.589832] do_error_trap+0x195/0x2d0 [ 60.593775] ? math_error+0x2d0/0x2d0 [ 60.597564] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 60.602398] invalid_op+0x1b/0x40 [ 60.605839] RIP: 0010:debug_print_object.cold+0xa7/0xdb [ 60.611180] RSP: 0018:ffff8880984df430 EFLAGS: 00010082 [ 60.616533] RAX: 0000000000000055 RBX: 0000000000000003 RCX: 0000000000000000 [ 60.623793] RDX: 0000000000000000 RSI: ffffffff86ac07e0 RDI: ffffed101309be7c [ 60.631419] RBP: ffffffff86ab5ee0 R08: 0000000000000055 R09: 0000000000000000 [ 60.638764] R10: fffffbfff14a8cd8 R11: ffff88808bcfe500 R12: 0000000000000000 [ 60.646038] R13: 0000000000000001 R14: 1ffff1101309be90 R15: ffffffff87d84240 [ 60.653366] debug_object_activate+0x307/0x450 [ 60.657978] ? debug_object_free+0x390/0x390 [ 60.662411] ? find_held_lock+0x2d/0x110 [ 60.666470] ? route4_walk+0x450/0x450 [ 60.670342] __call_rcu.constprop.0+0x31/0x7e0 [ 60.674905] route4_change+0xb27/0x1c4d [ 60.678863] ? route4_delete+0x760/0x760 [ 60.682905] ? route4_delete+0x760/0x760 [ 60.686960] tc_ctl_tfilter+0xf13/0x18e6 [ 60.691003] ? tfilter_notify+0x240/0x240 [ 60.695144] ? mutex_trylock+0x1a0/0x1a0 [ 60.699187] ? rtnetlink_rcv_msg+0x2e8/0xb10 [ 60.705666] ? tfilter_notify+0x240/0x240 [ 60.709794] rtnetlink_rcv_msg+0x3be/0xb10 [ 60.714039] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 60.718620] ? save_trace+0x290/0x290 [ 60.722420] ? save_trace+0x290/0x290 [ 60.726239] netlink_rcv_skb+0x127/0x370 [ 60.730283] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 60.734855] ? netlink_ack+0x980/0x980 [ 60.738738] netlink_unicast+0x437/0x620 [ 60.742842] ? netlink_attachskb+0x600/0x600 [ 60.747245] netlink_sendmsg+0x733/0xbe0 [ 60.751296] ? netlink_unicast+0x620/0x620 [ 60.755513] ? SYSC_sendto+0x2b0/0x2b0 [ 60.759385] ? security_socket_sendmsg+0x83/0xb0 [ 60.764123] ? netlink_unicast+0x620/0x620 [ 60.768381] sock_sendmsg+0xc5/0x100 [ 60.772077] ___sys_sendmsg+0x70a/0x840 [ 60.776043] ? trace_hardirqs_on+0x10/0x10 [ 60.780263] ? copy_msghdr_from_user+0x380/0x380 [ 60.785003] ? find_held_lock+0x2d/0x110 [ 60.789046] ? lock_downgrade+0x6e0/0x6e0 [ 60.793208] ? __fget+0x228/0x360 [ 60.796656] ? __fget_light+0x199/0x1f0 [ 60.800615] ? sockfd_lookup_light+0xb2/0x160 [ 60.805091] __sys_sendmsg+0xa3/0x120 [ 60.808876] ? SyS_shutdown+0x160/0x160 [ 60.812856] ? move_addr_to_kernel+0x60/0x60 [ 60.817257] SyS_sendmsg+0x27/0x40 [ 60.820792] ? __sys_sendmsg+0x120/0x120 [ 60.824865] do_syscall_64+0x1d5/0x640 [ 60.828734] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 60.833902] RIP: 0033:0x446e09 [ 60.837085] RSP: 002b:00007f5658524d98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 60.844795] RAX: ffffffffffffffda RBX: 00000000006dbc78 RCX: 0000000000446e09 [ 60.852058] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000006 [ 60.859306] RBP: 00000000006dbc70 R08: 0000000000000000 R09: 0000000000000000 [ 60.866571] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc7c [ 60.873829] R13: 0000000000000005 R14: 00a3a20740000000 R15: 0507002400000038 [ 60.881101] [ 60.881103] ====================================================== [ 60.881104] WARNING: possible circular locking dependency detected [ 60.881106] 4.14.174-syzkaller #0 Not tainted [ 60.881107] ------------------------------------------------------ [ 60.881109] syz-executor421/7348 is trying to acquire lock: [ 60.881110] ((console_sem).lock){-...}, at: [] down_trylock+0xe/0x60 [ 60.881114] [ 60.881115] but task is already holding lock: [ 60.881116] (&obj_hash[i].lock){-.-.}, at: [] debug_object_activate+0x10b/0x450 [ 60.881120] [ 60.881122] which lock already depends on the new lock. [ 60.881123] [ 60.881123] [ 60.881125] the existing dependency chain (in reverse order) is: [ 60.881126] [ 60.881126] -> #5 (&obj_hash[i].lock){-.-.}: [ 60.881130] _raw_spin_lock_irqsave+0x8c/0xbf [ 60.881132] debug_object_activate+0x10b/0x450 [ 60.881133] enqueue_hrtimer+0x22/0x3b0 [ 60.881135] hrtimer_start_range_ns+0x4e6/0x1060 [ 60.881136] schedule_hrtimeout_range_clock+0x13c/0x2f0 [ 60.881137] wait_task_inactive+0x478/0x530 [ 60.881139] __kthread_bind_mask+0x1f/0xb0 [ 60.881140] create_worker+0x313/0x530 [ 60.881141] workqueue_init+0x55f/0x66e [ 60.881142] kernel_init_freeable+0x2ab/0x526 [ 60.881143] kernel_init+0xd/0x15b [ 60.881145] ret_from_fork+0x24/0x30 [ 60.881145] [ 60.881146] -> #4 (hrtimer_bases.lock){-.-.}: [ 60.881150] _raw_spin_lock_irqsave+0x8c/0xbf [ 60.881152] lock_hrtimer_base.isra.0+0x6d/0x120 [ 60.881153] hrtimer_start_range_ns+0x7b/0x1060 [ 60.881154] enqueue_task_rt+0x94d/0xdb0 [ 60.881156] __sched_setscheduler.constprop.0+0xc11/0x1f70 [ 60.881157] _sched_setscheduler+0xf9/0x150 [ 60.881158] watchdog_enable+0xff/0x150 [ 60.881160] smpboot_thread_fn+0x40d/0x920 [ 60.881161] kthread+0x30d/0x420 [ 60.881162] ret_from_fork+0x24/0x30 [ 60.881163] [ 60.881163] -> #3 (&rt_b->rt_runtime_lock){-.-.}: [ 60.881167] _raw_spin_lock+0x2a/0x40 [ 60.881169] enqueue_task_rt+0x508/0xdb0 [ 60.881170] __sched_setscheduler.constprop.0+0xc11/0x1f70 [ 60.881171] _sched_setscheduler+0xf9/0x150 [ 60.881173] watchdog_enable+0xff/0x150 [ 60.881174] smpboot_thread_fn+0x40d/0x920 [ 60.881175] kthread+0x30d/0x420 [ 60.881176] ret_from_fork+0x24/0x30 [ 60.881177] [ 60.881178] -> #2 (&rq->lock){-.-.}: [ 60.881181] _raw_spin_lock+0x2a/0x40 [ 60.881183] task_fork_fair+0x63/0x5b0 [ 60.881184] sched_fork+0x39a/0xbd0 [ 60.881185] copy_process.part.0+0x15b7/0x6a70 [ 60.881186] _do_fork+0x180/0xc80 [ 60.881187] kernel_thread+0x2f/0x40 [ 60.881189] rest_init+0x1f/0x1d2 [ 60.881190] start_kernel+0x659/0x676 [ 60.881191] secondary_startup_64+0xa5/0xb0 [ 60.881192] [ 60.881192] -> #1 (&p->pi_lock){-.-.}: [ 60.881196] _raw_spin_lock_irqsave+0x8c/0xbf [ 60.881198] try_to_wake_up+0x6a/0xef0 [ 60.881199] up+0x92/0xe0 [ 60.881200] __up_console_sem+0xa9/0x1b0 [ 60.881201] console_unlock+0x596/0xec0 [ 60.881202] vprintk_emit+0x1f8/0x600 [ 60.881204] vprintk_func+0x58/0x152 [ 60.881205] printk+0x9e/0xbc [ 60.881206] kauditd_hold_skb.cold+0x3e/0x4d [ 60.881207] kauditd_send_queue+0xfb/0x140 [ 60.881209] kauditd_thread+0x625/0x840 [ 60.881210] kthread+0x30d/0x420 [ 60.881211] ret_from_fork+0x24/0x30 [ 60.881211] [ 60.881212] -> #0 ((console_sem).lock){-...}: [ 60.881216] lock_acquire+0x170/0x3f0 [ 60.881218] _raw_spin_lock_irqsave+0x8c/0xbf [ 60.881219] down_trylock+0xe/0x60 [ 60.881220] __down_trylock_console_sem+0x97/0x1f0 [ 60.881221] console_trylock+0x14/0x70 [ 60.881223] vprintk_emit+0x1ea/0x600 [ 60.881224] vprintk_func+0x58/0x152 [ 60.881225] printk+0x9e/0xbc [ 60.881226] debug_print_object.cold+0xa7/0xdb [ 60.881227] debug_object_activate+0x307/0x450 [ 60.881229] __call_rcu.constprop.0+0x31/0x7e0 [ 60.881230] route4_change+0xb27/0x1c4d [ 60.881231] tc_ctl_tfilter+0xf13/0x18e6 [ 60.881232] rtnetlink_rcv_msg+0x3be/0xb10 [ 60.881234] netlink_rcv_skb+0x127/0x370 [ 60.881235] netlink_unicast+0x437/0x620 [ 60.881236] netlink_sendmsg+0x733/0xbe0 [ 60.881237] sock_sendmsg+0xc5/0x100 [ 60.881239] ___sys_sendmsg+0x70a/0x840 [ 60.881240] __sys_sendmsg+0xa3/0x120 [ 60.881241] SyS_sendmsg+0x27/0x40 [ 60.881242] do_syscall_64+0x1d5/0x640 [ 60.881243] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 60.881244] [ 60.881246] other info that might help us debug this: [ 60.881246] [ 60.881247] Chain exists of: [ 60.881248] (console_sem).lock --> hrtimer_bases.lock --> &obj_hash[i].lock [ 60.881253] [ 60.881254] Possible unsafe locking scenario: [ 60.881255] [ 60.881256] CPU0 CPU1 [ 60.881257] ---- ---- [ 60.881258] lock(&obj_hash[i].lock); [ 60.881261] lock(hrtimer_bases.lock); [ 60.881264] lock(&obj_hash[i].lock); [ 60.881266] lock((console_sem).lock); [ 60.881268] [ 60.881269] *** DEADLOCK *** [ 60.881270] [ 60.881271] 2 locks held by syz-executor421/7348: [ 60.881272] #0: (rtnl_mutex){+.+.}, at: [] rtnetlink_rcv_msg+0x31d/0xb10 [ 60.881276] #1: (&obj_hash[i].lock){-.-.}, at: [] debug_object_activate+0x10b/0x450 [ 60.881281] [ 60.881282] stack backtrace: [ 60.881284] CPU: 1 PID: 7348 Comm: syz-executor421 Not tainted 4.14.174-syzkaller #0 [ 60.881286] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.881287] Call Trace: [ 60.881288] dump_stack+0x13e/0x194 [ 60.881290] print_circular_bug.isra.0.cold+0x1c4/0x282 [ 60.881291] __lock_acquire+0x2cb3/0x4620 [ 60.881292] ? string+0x17e/0x1d0 [ 60.881293] ? trace_hardirqs_on+0x10/0x10 [ 60.881294] ? netdev_bits+0xa0/0xa0 [ 60.881295] ? kvm_clock_read+0x1f/0x30 [ 60.881297] ? kvm_sched_clock_read+0x5/0x10 [ 60.881298] lock_acquire+0x170/0x3f0 [ 60.881299] ? down_trylock+0xe/0x60 [ 60.881300] _raw_spin_lock_irqsave+0x8c/0xbf [ 60.881301] ? down_trylock+0xe/0x60 [ 60.881302] down_trylock+0xe/0x60 [ 60.881304] ? vprintk_emit+0x1ea/0x600 [ 60.881305] __down_trylock_console_sem+0x97/0x1f0 [ 60.881306] console_trylock+0x14/0x70 [ 60.881307] vprintk_emit+0x1ea/0x600 [ 60.881308] vprintk_func+0x58/0x152 [ 60.881309] printk+0x9e/0xbc [ 60.881311] ? show_regs_print_info+0x5b/0x5b [ 60.881312] ? lock_acquire+0x170/0x3f0 [ 60.881313] ? debug_object_activate+0x10b/0x450 [ 60.881314] debug_print_object.cold+0xa7/0xdb [ 60.881315] debug_object_activate+0x307/0x450 [ 60.881317] ? debug_object_free+0x390/0x390 [ 60.881318] ? find_held_lock+0x2d/0x110 [ 60.881319] ? route4_walk+0x450/0x450 [ 60.881320] __call_rcu.constprop.0+0x31/0x7e0 [ 60.881322] route4_change+0xb27/0x1c4d [ 60.881323] ? route4_delete+0x760/0x760 [ 60.881324] ? route4_delete+0x760/0x760 [ 60.881325] tc_ctl_tfilter+0xf13/0x18e6 [ 60.881326] ? tfilter_notify+0x240/0x240 [ 60.881327] ? mutex_trylock+0x1a0/0x1a0 [ 60.881329] ? rtnetlink_rcv_msg+0x2e8/0xb10 [ 60.881330] ? tfilter_notify+0x240/0x240 [ 60.881331] rtnetlink_rcv_msg+0x3be/0xb10 [ 60.881332] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 60.881334] ? save_trace+0x290/0x290 [ 60.881335] ? save_trace+0x290/0x290 [ 60.881336] netlink_rcv_skb+0x127/0x370 [ 60.881337] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 60.881338] ? netlink_ack+0x980/0x980 [ 60.881339] netlink_unicast+0x437/0x620 [ 60.881341] ? netlink_attachskb+0x600/0x600 [ 60.881342] netlink_sendmsg+0x733/0xbe0 [ 60.881343] ? netlink_unicast+0x620/0x620 [ 60.881344] ? SYSC_sendto+0x2b0/0x2b0 [ 60.881346] ? security_socket_sendmsg+0x83/0xb0 [ 60.881347] ? netlink_unicast+0x620/0x620 [ 60.881348] sock_sendmsg+0xc5/0x100 [ 60.881349] ___sys_sendmsg+0x70a/0x840 [ 60.881350] ? trace_hardirqs_on+0x10/0x10 [ 60.881352] ? copy_msghdr_from_user+0x380/0x380 [ 60.881353] ? find_held_lock+0x2d/0x110 [ 60.881354] ? lock_downgrade+0x6e0/0x6e0 [ 60.881355] ? __fget+0x228/0x360 [ 60.881357] ? __fget_light+0x199/0x1f0 [ 60.881359] ? sockfd_lookup_light+0xb2/0x160 [ 60.881360] __sys_sendmsg+0xa3/0x120 [ 60.881362] ? SyS_shutdown+0x160/0x160 [ 60.881364] ? move_addr_to_kernel+0x60/0x60 [ 60.881366] SyS_sendmsg+0x27/0x40 [ 60.881368] ? __sys_sendmsg+0x120/0x120 [ 60.881370] do_syscall_64+0x1d5/0x640 [ 60.881372] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 60.881374] RIP: 0033:0x446e09 [ 60.881376] RSP: 002b:00007f5658524d98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 60.881382] RAX: ffffffffffffffda RBX: 00000000006dbc78 RCX: 0000000000446e09 [ 60.881385] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000006 [ 60.881388] RBP: 00000000006dbc70 R08: 0000000000000000 R09: 0000000000000000 [ 60.881392] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc7c [ 60.881395] R13: 0000000000000005 R14: 00a3a20740000000 R15: 0507002400000038 [ 60.882681] Kernel Offset: disabled [ 61.776984] Rebooting in 86400 seconds..