[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 32.949540] random: sshd: uninitialized urandom read (32 bytes read) [ 33.196767] audit: type=1400 audit(1536710974.774:6): avc: denied { map } for pid=5475 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 33.248443] random: sshd: uninitialized urandom read (32 bytes read) [ 33.896509] random: sshd: uninitialized urandom read (32 bytes read) [ 34.134750] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.63' (ECDSA) to the list of known hosts. [ 39.752519] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 39.883923] audit: type=1400 audit(1536710981.464:7): avc: denied { map } for pid=5489 comm="syz-executor953" path="/root/syz-executor953621597" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 39.889618] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html for details. [ 39.939292] ================================================================== [ 39.949251] BUG: KASAN: use-after-free in __schedule+0xfc3/0x1ed0 [ 39.955480] Read of size 8 at addr ffff8801c4d78058 by task syz-executor953/5489 [ 39.963001] [ 39.964627] CPU: 0 PID: 5489 Comm: syz-executor953 Not tainted 4.19.0-rc3+ #10 [ 39.972000] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.981367] Call Trace: [ 39.983950] dump_stack+0x1c4/0x2b4 [ 39.987587] ? dump_stack_print_info.cold.2+0x52/0x52 [ 39.993294] ? printk+0xa7/0xcf [ 39.996574] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 40.004026] print_address_description.cold.8+0x9/0x1ff [ 40.009389] kasan_report.cold.9+0x242/0x309 [ 40.013795] ? __schedule+0xfc3/0x1ed0 [ 40.017682] __asan_report_load8_noabort+0x14/0x20 [ 40.022610] __schedule+0xfc3/0x1ed0 [ 40.026329] ? __sched_text_start+0x8/0x8 [ 40.030504] ? __lock_is_held+0xb5/0x140 [ 40.034563] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 40.039670] ? find_held_lock+0x36/0x1c0 [ 40.043737] ? __call_srcu+0x7f9/0x1070 [ 40.047710] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 40.052809] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 40.057916] ? lockdep_hardirqs_on+0x421/0x5c0 [ 40.062502] ? preempt_schedule+0x4d/0x60 [ 40.066651] preempt_schedule_common+0x1f/0xd0 [ 40.071249] preempt_schedule+0x4d/0x60 [ 40.075229] ___preempt_schedule+0x16/0x18 [ 40.079492] _raw_spin_unlock_irqrestore+0xbb/0xd0 [ 40.084425] __call_srcu+0x7f9/0x1070 [ 40.088228] ? _raw_spin_unlock_irqrestore+0x6d/0xd0 [ 40.093341] ? srcu_offline_cpu+0x120/0x120 [ 40.097663] ? debug_object_free+0x690/0x690 [ 40.102348] ? mark_held_locks+0x130/0x130 [ 40.106580] ? kvm_arch_destroy_vm+0x414/0x7c0 [ 40.111164] ? lock_release+0x970/0x970 [ 40.115140] ? arch_local_save_flags+0x40/0x40 [ 40.119723] ? depot_save_stack+0x292/0x470 [ 40.124066] ? __lockdep_init_map+0x105/0x590 [ 40.128566] ? __init_waitqueue_head+0x9e/0x150 [ 40.133232] ? init_wait_entry+0x1c0/0x1c0 [ 40.137479] __synchronize_srcu+0x17b/0x230 [ 40.141807] ? call_srcu+0x10/0x10 [ 40.145349] ? rcu_unexpedite_gp+0x20/0x20 [ 40.149588] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 40.155126] ? check_preemption_disabled+0x48/0x200 [ 40.160146] synchronize_srcu+0x356/0x5ab [ 40.164293] ? lock_downgrade+0x900/0x900 [ 40.168441] ? synchronize_srcu_expedited+0x20/0x20 [ 40.173461] ? kasan_check_read+0x11/0x20 [ 40.177608] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 40.182191] ? kasan_check_write+0x14/0x20 [ 40.186429] ? do_raw_spin_lock+0xc1/0x200 [ 40.190667] kvm_page_track_unregister_notifier+0x17d/0x250 [ 40.196377] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 40.201830] ? kvfree+0x61/0x70 [ 40.205108] ? rcu_read_lock_sched_held+0x108/0x120 [ 40.210128] kvm_mmu_uninit_vm+0x1c/0x20 [ 40.214189] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 40.218597] ? kvm_arch_sync_events+0x30/0x30 [ 40.223095] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 40.228634] ? mmu_notifier_unregister+0x474/0x600 [ 40.233561] ? kfree+0x107/0x230 [ 40.236930] ? __mmu_notifier_register+0x30/0x30 [ 40.241689] ? __free_pages+0x10a/0x190 [ 40.245660] ? free_unref_page+0x960/0x960 [ 40.249902] kvm_put_kvm+0x6c8/0xff0 [ 40.253618] ? kvm_write_guest_cached+0x40/0x40 [ 40.258286] ? kvm_irqfd_release+0xd1/0x120 [ 40.262606] ? _raw_spin_unlock_irq+0x27/0x80 [ 40.267097] ? _raw_spin_unlock_irq+0x27/0x80 [ 40.271608] ? kasan_check_write+0x14/0x20 [ 40.275842] ? do_raw_spin_lock+0xc1/0x200 [ 40.280079] ? kvm_irqfd_release+0xdd/0x120 [ 40.284396] ? kvm_irqfd_release+0xdd/0x120 [ 40.288715] ? kvm_put_kvm+0xff0/0xff0 [ 40.292606] kvm_vm_release+0x42/0x50 [ 40.296405] __fput+0x385/0xa30 [ 40.299699] ? get_max_files+0x20/0x20 [ 40.303586] ? trace_hardirqs_on+0xbd/0x310 [ 40.307911] ? ___might_sleep+0x1ed/0x300 [ 40.312056] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 40.317507] ? arch_local_save_flags+0x40/0x40 [ 40.322109] ? kasan_check_write+0x14/0x20 [ 40.326345] ? do_raw_spin_lock+0xc1/0x200 [ 40.330582] ____fput+0x15/0x20 [ 40.333892] task_work_run+0x1e8/0x2a0 [ 40.337788] ? task_work_cancel+0x240/0x240 [ 40.342111] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 40.347650] ? switch_task_namespaces+0x9d/0xd0 [ 40.352324] do_exit+0x1ad7/0x2610 [ 40.355868] ? mm_update_next_owner+0x990/0x990 [ 40.360542] ? kvm_vcpu_ioctl+0x29c/0x1150 [ 40.364775] ? rcu_read_lock_sched_held+0x108/0x120 [ 40.369790] ? kfree+0x1fa/0x230 [ 40.373159] ? kvm_vcpu_ioctl+0x2a1/0x1150 [ 40.377393] ? kvm_vcpu_block+0x1030/0x1030 [ 40.381719] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 40.387262] ? avc_has_extended_perms+0xab2/0x15a0 [ 40.392200] ? fpu__prepare_read+0x3b/0x750 [ 40.396520] ? avc_ss_reset+0x190/0x190 [ 40.400501] ? save_stack+0xa9/0xd0 [ 40.404124] ? save_stack+0x43/0xd0 [ 40.407753] ? __kasan_slab_free+0x102/0x150 [ 40.412159] ? kasan_slab_free+0xe/0x10 [ 40.416130] ? putname+0xf2/0x130 [ 40.419581] ? __x64_sys_openat+0x9d/0x100 [ 40.423812] ? do_syscall_64+0x1b9/0x820 [ 40.427874] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.433253] ? ___might_sleep+0x1ed/0x300 [ 40.437401] ? __bpf_trace_initcall_finish+0x2a/0x30 [ 40.442507] ? trace_hardirqs_off+0xb8/0x310 [ 40.446922] ? kvm_vcpu_block+0x1030/0x1030 [ 40.451249] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 40.456789] ? do_vfs_ioctl+0x201/0x1720 [ 40.460851] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 40.466045] ? ioctl_preallocate+0x300/0x300 [ 40.470459] ? selinux_file_mprotect+0x620/0x620 [ 40.475214] ? path_mountpoint+0x34f/0x2190 [ 40.479541] ? rcu_read_lock_sched_held+0x108/0x120 [ 40.484555] ? kmem_cache_free+0x24f/0x290 [ 40.488786] ? putname+0xf7/0x130 [ 40.492273] do_group_exit+0x177/0x440 [ 40.496182] ? trace_hardirqs_on+0xbd/0x310 [ 40.500514] ? __ia32_sys_exit+0x50/0x50 [ 40.504574] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 40.510049] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 40.515594] ? ksys_ioctl+0x81/0xd0 [ 40.519232] __x64_sys_exit_group+0x3e/0x50 [ 40.523569] do_syscall_64+0x1b9/0x820 [ 40.527459] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 40.532823] ? syscall_return_slowpath+0x5e0/0x5e0 [ 40.537759] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 40.542633] ? trace_hardirqs_on_caller+0x310/0x310 [ 40.547677] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 40.552695] ? prepare_exit_to_usermode+0x291/0x3b0 [ 40.557712] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 40.562559] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.567740] RIP: 0033:0x43f028 [ 40.570934] Code: Bad RIP value. [ 40.574296] RSP: 002b:00007ffdfb6a3cc8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 40.582005] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f028 [ 40.589270] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 40.596537] RBP: 00000000004c08e8 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 40.603803] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 40.611071] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 40.618341] [ 40.619962] Allocated by task 5489: [ 40.623620] save_stack+0x43/0xd0 [ 40.627065] kasan_kmalloc+0xc7/0xe0 [ 40.630793] kasan_slab_alloc+0x12/0x20 [ 40.634762] kmem_cache_alloc+0x12e/0x730 [ 40.638919] vmx_create_vcpu+0xcf/0x25e0 [ 40.642997] kvm_arch_vcpu_create+0xe5/0x220 [ 40.647408] kvm_vm_ioctl+0x470/0x1d40 [ 40.651306] do_vfs_ioctl+0x1de/0x1720 [ 40.655202] ksys_ioctl+0xa9/0xd0 [ 40.658648] __x64_sys_ioctl+0x73/0xb0 [ 40.662545] do_syscall_64+0x1b9/0x820 [ 40.666442] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.671616] [ 40.673237] Freed by task 5489: [ 40.676520] save_stack+0x43/0xd0 [ 40.679966] __kasan_slab_free+0x102/0x150 [ 40.684207] kasan_slab_free+0xe/0x10 [ 40.688009] kmem_cache_free+0x83/0x290 [ 40.691990] vmx_free_vcpu+0x26b/0x300 [ 40.695877] kvm_arch_destroy_vm+0x365/0x7c0 [ 40.700283] kvm_put_kvm+0x6c8/0xff0 [ 40.704000] kvm_vm_release+0x42/0x50 [ 40.707798] __fput+0x385/0xa30 [ 40.711074] ____fput+0x15/0x20 [ 40.714353] task_work_run+0x1e8/0x2a0 [ 40.718235] do_exit+0x1ad7/0x2610 [ 40.721777] do_group_exit+0x177/0x440 [ 40.725662] __x64_sys_exit_group+0x3e/0x50 [ 40.729999] do_syscall_64+0x1b9/0x820 [ 40.733903] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.739094] [ 40.740731] The buggy address belongs to the object at ffff8801c4d78040 [ 40.740731] which belongs to the cache kvm_vcpu of size 23872 [ 40.753306] The buggy address is located 24 bytes inside of [ 40.753306] 23872-byte region [ffff8801c4d78040, ffff8801c4d7dd80) [ 40.765264] The buggy address belongs to the page: [ 40.770188] page:ffffea0007135e00 count:1 mapcount:0 mapping:ffff8801d546c600 index:0x0 compound_mapcount: 0 [ 40.780172] flags: 0x2fffc0000008100(slab|head) [ 40.784841] raw: 02fffc0000008100 ffff8801d546d648 ffff8801d546d648 ffff8801d546c600 [ 40.792719] raw: 0000000000000000 ffff8801c4d78040 0000000100000001 0000000000000000 [ 40.800587] page dumped because: kasan: bad access detected [ 40.806284] [ 40.807902] Memory state around the buggy address: [ 40.812825] ffff8801c4d77f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 40.820178] ffff8801c4d77f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 40.827531] >ffff8801c4d78000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 40.834883] ^ [ 40.841143] ffff8801c4d78080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.848499] ffff8801c4d78100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.855842] ================================================================== [ 40.863206] Kernel panic - not syncing: panic_on_warn set ... [ 40.863206] [ 40.870575] CPU: 0 PID: 5489 Comm: syz-executor953 Tainted: G B 4.19.0-rc3+ #10 [ 40.879314] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.888660] Call Trace: [ 40.891264] dump_stack+0x1c4/0x2b4 [ 40.894892] ? dump_stack_print_info.cold.2+0x52/0x52 [ 40.900085] ? lock_downgrade+0x900/0x900 [ 40.904235] panic+0x238/0x4e7 [ 40.907430] ? add_taint.cold.5+0x16/0x16 [ 40.911588] ? print_shadow_for_address+0xb6/0x116 [ 40.916513] ? trace_hardirqs_off+0xaf/0x310 [ 40.920935] kasan_end_report+0x47/0x4f [ 40.924909] kasan_report.cold.9+0x76/0x309 [ 40.929230] ? __schedule+0xfc3/0x1ed0 [ 40.933144] __asan_report_load8_noabort+0x14/0x20 [ 40.938077] __schedule+0xfc3/0x1ed0 [ 40.941796] ? __sched_text_start+0x8/0x8 [ 40.945950] ? __lock_is_held+0xb5/0x140 [ 40.950034] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 40.955160] ? find_held_lock+0x36/0x1c0 [ 40.959223] ? __call_srcu+0x7f9/0x1070 [ 40.963200] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 40.968300] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 40.973458] ? lockdep_hardirqs_on+0x421/0x5c0 [ 40.978040] ? preempt_schedule+0x4d/0x60 [ 40.982187] preempt_schedule_common+0x1f/0xd0 [ 40.986770] preempt_schedule+0x4d/0x60 [ 40.990755] ___preempt_schedule+0x16/0x18 [ 40.995208] _raw_spin_unlock_irqrestore+0xbb/0xd0 [ 41.000145] __call_srcu+0x7f9/0x1070 [ 41.003945] ? _raw_spin_unlock_irqrestore+0x6d/0xd0 [ 41.009058] ? srcu_offline_cpu+0x120/0x120 [ 41.013376] ? debug_object_free+0x690/0x690 [ 41.017800] ? mark_held_locks+0x130/0x130 [ 41.022035] ? kvm_arch_destroy_vm+0x414/0x7c0 [ 41.026623] ? lock_release+0x970/0x970 [ 41.030595] ? arch_local_save_flags+0x40/0x40 [ 41.035178] ? depot_save_stack+0x292/0x470 [ 41.039508] ? __lockdep_init_map+0x105/0x590 [ 41.044036] ? __init_waitqueue_head+0x9e/0x150 [ 41.048742] ? init_wait_entry+0x1c0/0x1c0 [ 41.052995] __synchronize_srcu+0x17b/0x230 [ 41.057315] ? call_srcu+0x10/0x10 [ 41.060850] ? rcu_unexpedite_gp+0x20/0x20 [ 41.065087] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 41.070619] ? check_preemption_disabled+0x48/0x200 [ 41.075638] synchronize_srcu+0x356/0x5ab [ 41.079786] ? lock_downgrade+0x900/0x900 [ 41.083935] ? synchronize_srcu_expedited+0x20/0x20 [ 41.088957] ? kasan_check_read+0x11/0x20 [ 41.093114] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 41.097697] ? kasan_check_write+0x14/0x20 [ 41.101931] ? do_raw_spin_lock+0xc1/0x200 [ 41.106173] kvm_page_track_unregister_notifier+0x17d/0x250 [ 41.111886] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 41.117355] ? kvfree+0x61/0x70 [ 41.120634] ? rcu_read_lock_sched_held+0x108/0x120 [ 41.125651] kvm_mmu_uninit_vm+0x1c/0x20 [ 41.129713] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 41.134141] ? kvm_arch_sync_events+0x30/0x30 [ 41.138643] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 41.144182] ? mmu_notifier_unregister+0x474/0x600 [ 41.149106] ? kfree+0x107/0x230 [ 41.152469] ? __mmu_notifier_register+0x30/0x30 [ 41.157224] ? __free_pages+0x10a/0x190 [ 41.161200] ? free_unref_page+0x960/0x960 [ 41.165450] kvm_put_kvm+0x6c8/0xff0 [ 41.169173] ? kvm_write_guest_cached+0x40/0x40 [ 41.173841] ? kvm_irqfd_release+0xd1/0x120 [ 41.178162] ? _raw_spin_unlock_irq+0x27/0x80 [ 41.182652] ? _raw_spin_unlock_irq+0x27/0x80 [ 41.187161] ? kasan_check_write+0x14/0x20 [ 41.191399] ? do_raw_spin_lock+0xc1/0x200 [ 41.195644] ? kvm_irqfd_release+0xdd/0x120 [ 41.199967] ? kvm_irqfd_release+0xdd/0x120 [ 41.204301] ? kvm_put_kvm+0xff0/0xff0 [ 41.208190] kvm_vm_release+0x42/0x50 [ 41.212001] __fput+0x385/0xa30 [ 41.215290] ? get_max_files+0x20/0x20 [ 41.219180] ? trace_hardirqs_on+0xbd/0x310 [ 41.223501] ? ___might_sleep+0x1ed/0x300 [ 41.227648] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 41.233098] ? arch_local_save_flags+0x40/0x40 [ 41.237683] ? kasan_check_write+0x14/0x20 [ 41.241922] ? do_raw_spin_lock+0xc1/0x200 [ 41.246178] ____fput+0x15/0x20 [ 41.249475] task_work_run+0x1e8/0x2a0 [ 41.253365] ? task_work_cancel+0x240/0x240 [ 41.257686] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 41.263222] ? switch_task_namespaces+0x9d/0xd0 [ 41.267900] do_exit+0x1ad7/0x2610 [ 41.271446] ? mm_update_next_owner+0x990/0x990 [ 41.276123] ? kvm_vcpu_ioctl+0x29c/0x1150 [ 41.280356] ? rcu_read_lock_sched_held+0x108/0x120 [ 41.285370] ? kfree+0x1fa/0x230 [ 41.288757] ? kvm_vcpu_ioctl+0x2a1/0x1150 [ 41.293007] ? kvm_vcpu_block+0x1030/0x1030 [ 41.297334] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 41.302883] ? avc_has_extended_perms+0xab2/0x15a0 [ 41.307826] ? fpu__prepare_read+0x3b/0x750 [ 41.312145] ? avc_ss_reset+0x190/0x190 [ 41.316127] ? save_stack+0xa9/0xd0 [ 41.319753] ? save_stack+0x43/0xd0 [ 41.323375] ? __kasan_slab_free+0x102/0x150 [ 41.327787] ? kasan_slab_free+0xe/0x10 [ 41.331783] ? putname+0xf2/0x130 [ 41.335257] ? __x64_sys_openat+0x9d/0x100 [ 41.339492] ? do_syscall_64+0x1b9/0x820 [ 41.343554] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 41.348924] ? ___might_sleep+0x1ed/0x300 [ 41.353073] ? __bpf_trace_initcall_finish+0x2a/0x30 [ 41.358176] ? trace_hardirqs_off+0xb8/0x310 [ 41.362590] ? kvm_vcpu_block+0x1030/0x1030 [ 41.366923] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 41.372460] ? do_vfs_ioctl+0x201/0x1720 [ 41.376521] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 41.381711] ? ioctl_preallocate+0x300/0x300 [ 41.386126] ? selinux_file_mprotect+0x620/0x620 [ 41.390881] ? path_mountpoint+0x34f/0x2190 [ 41.395226] ? rcu_read_lock_sched_held+0x108/0x120 [ 41.400251] ? kmem_cache_free+0x24f/0x290 [ 41.404483] ? putname+0xf7/0x130 [ 41.407941] do_group_exit+0x177/0x440 [ 41.411836] ? trace_hardirqs_on+0xbd/0x310 [ 41.416159] ? __ia32_sys_exit+0x50/0x50 [ 41.420223] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 41.425678] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 41.431218] ? ksys_ioctl+0x81/0xd0 [ 41.434873] __x64_sys_exit_group+0x3e/0x50 [ 41.439205] do_syscall_64+0x1b9/0x820 [ 41.443096] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 41.448463] ? syscall_return_slowpath+0x5e0/0x5e0 [ 41.453388] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 41.458231] ? trace_hardirqs_on_caller+0x310/0x310 [ 41.463262] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 41.468277] ? prepare_exit_to_usermode+0x291/0x3b0 [ 41.473295] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 41.478143] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 41.483329] RIP: 0033:0x43f028 [ 41.486520] Code: Bad RIP value. [ 41.489881] RSP: 002b:00007ffdfb6a3cc8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 41.497585] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f028 [ 41.504844] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 41.512130] RBP: 00000000004c08e8 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 41.519392] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 41.526654] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 41.533929] [ 41.533935] ====================================================== [ 41.533940] WARNING: possible circular locking dependency detected [ 41.533944] 4.19.0-rc3+ #10 Not tainted [ 41.533962] ------------------------------------------------------ [ 41.533967] syz-executor953/5489 is trying to acquire lock: [ 41.533971] 00000000dab05bff ((console_sem).lock){-...}, at: down_trylock+0x13/0x70 [ 41.533996] [ 41.534000] but task is already holding lock: [ 41.534003] 000000007c4098f2 (report_lock){....}, at: kasan_report+0x8b/0x110 [ 41.534019] [ 41.534024] which lock already depends on the new lock. [ 41.534026] [ 41.534029] [ 41.534035] the existing dependency chain (in reverse order) is: [ 41.534037] [ 41.534040] -> #3 (report_lock){....}: [ 41.534056] _raw_spin_lock_irqsave+0x99/0xd0 [ 41.534060] kasan_report+0x8b/0x110 [ 41.534065] __asan_report_load8_noabort+0x14/0x20 [ 41.534069] __schedule+0xfc3/0x1ed0 [ 41.534087] preempt_schedule_common+0x1f/0xd0 [ 41.534091] preempt_schedule+0x4d/0x60 [ 41.534108] ___preempt_schedule+0x16/0x18 [ 41.534112] _raw_spin_unlock_irqrestore+0xbb/0xd0 [ 41.534117] __call_srcu+0x7f9/0x1070 [ 41.534121] __synchronize_srcu+0x17b/0x230 [ 41.534126] synchronize_srcu+0x356/0x5ab [ 41.534131] kvm_page_track_unregister_notifier+0x17d/0x250 [ 41.534135] kvm_mmu_uninit_vm+0x1c/0x20 [ 41.534140] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 41.534144] kvm_put_kvm+0x6c8/0xff0 [ 41.534148] kvm_vm_release+0x42/0x50 [ 41.534152] __fput+0x385/0xa30 [ 41.534156] ____fput+0x15/0x20 [ 41.534160] task_work_run+0x1e8/0x2a0 [ 41.534164] do_exit+0x1ad7/0x2610 [ 41.534169] do_group_exit+0x177/0x440 [ 41.534173] __x64_sys_exit_group+0x3e/0x50 [ 41.534177] do_syscall_64+0x1b9/0x820 [ 41.534182] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 41.534185] [ 41.534187] -> #2 (&rq->lock){-.-.}: [ 41.534202] _raw_spin_lock+0x2d/0x40 [ 41.534207] task_fork_fair+0xb0/0x6d0 [ 41.534211] sched_fork+0x443/0xba0 [ 41.534215] copy_process+0x2586/0x8780 [ 41.534219] _do_fork+0x1cb/0x11d0 [ 41.534223] kernel_thread+0x34/0x40 [ 41.534227] rest_init+0x22/0xe5 [ 41.534231] start_kernel+0x8f4/0x92f [ 41.534236] x86_64_start_reservations+0x29/0x2b [ 41.534260] x86_64_start_kernel+0x76/0x79 [ 41.534264] secondary_startup_64+0xa4/0xb0 [ 41.534267] [ 41.534269] -> #1 (&p->pi_lock){-.-.}: [ 41.534297] _raw_spin_lock_irqsave+0x99/0xd0 [ 41.534301] try_to_wake_up+0xd2/0x12f0 [ 41.534305] wake_up_process+0x10/0x20 [ 41.534309] __up.isra.1+0x1c0/0x2a0 [ 41.534313] up+0x13c/0x1c0 [ 41.534317] __up_console_sem+0xbe/0x1b0 [ 41.534322] console_unlock+0x524/0x11a0 [ 41.534326] vprintk_emit+0x33d/0x930 [ 41.534330] vprintk_default+0x28/0x30 [ 41.534334] vprintk_func+0x7e/0x181 [ 41.534338] printk+0xa7/0xcf [ 41.534342] load_umh+0x51/0xbd [ 41.534346] do_one_initcall+0x145/0x957 [ 41.534351] kernel_init_freeable+0x4bb/0x5ae [ 41.534355] kernel_init+0x11/0x1b2 [ 41.534359] ret_from_fork+0x3a/0x50 [ 41.534362] [ 41.534364] -> #0 ((console_sem).lock){-...}: [ 41.534380] lock_acquire+0x1ed/0x520 [ 41.534385] _raw_spin_lock_irqsave+0x99/0xd0 [ 41.534389] down_trylock+0x13/0x70 [ 41.534394] __down_trylock_console_sem+0xae/0x200 [ 41.534398] console_trylock+0x15/0xa0 [ 41.534402] vprintk_emit+0x322/0x930 [ 41.534406] vprintk_default+0x28/0x30 [ 41.534410] vprintk_func+0x7e/0x181 [ 41.534414] printk+0xa7/0xcf [ 41.534418] kasan_report+0x9b/0x110 [ 41.534423] __asan_report_load8_noabort+0x14/0x20 [ 41.534427] __schedule+0xfc3/0x1ed0 [ 41.534432] preempt_schedule_common+0x1f/0xd0 [ 41.534436] preempt_schedule+0x4d/0x60 [ 41.534441] ___preempt_schedule+0x16/0x18 [ 41.534446] _raw_spin_unlock_irqrestore+0xbb/0xd0 [ 41.534450] __call_srcu+0x7f9/0x1070 [ 41.534454] __synchronize_srcu+0x17b/0x230 [ 41.534459] synchronize_srcu+0x356/0x5ab [ 41.534464] kvm_page_track_unregister_notifier+0x17d/0x250 [ 41.534469] kvm_mmu_uninit_vm+0x1c/0x20 [ 41.534473] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 41.534477] kvm_put_kvm+0x6c8/0xff0 [ 41.534481] kvm_vm_release+0x42/0x50 [ 41.534485] __fput+0x385/0xa30 [ 41.534489] ____fput+0x15/0x20 [ 41.534493] task_work_run+0x1e8/0x2a0 [ 41.534497] do_exit+0x1ad7/0x2610 [ 41.534502] do_group_exit+0x177/0x440 [ 41.534506] __x64_sys_exit_group+0x3e/0x50 [ 41.534510] do_syscall_64+0x1b9/0x820 [ 41.534515] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 41.534518] [ 41.534523] other info that might help us debug this: [ 41.534525] [ 41.534528] Chain exists of: [ 41.534531] (console_sem).lock --> &rq->lock --> report_lock [ 41.534550] [ 41.534555] Possible unsafe locking scenario: [ 41.534557] [ 41.534562] CPU0 CPU1 [ 41.534566] ---- ---- [ 41.534569] lock(report_lock); [ 41.534579] lock(&rq->lock); [ 41.534588] lock(report_lock); [ 41.534597] lock((console_sem).lock); [ 41.534606] [ 41.534609] *** DEADLOCK *** [ 41.534612] [ 41.534616] 2 locks held by syz-executor953/5489: [ 41.534619] #0: 00000000a0c55855 (&rq->lock){-.-.}, at: __schedule+0x236/0x1ed0 [ 41.534637] #1: 000000007c4098f2 (report_lock){....}, at: kasan_report+0x8b/0x110 [ 41.534655] [ 41.534658] stack backtrace: [ 41.534665] CPU: 0 PID: 5489 Comm: syz-executor953 Not tainted 4.19.0-rc3+ #10 [ 41.534686] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.534689] Call Trace: [ 41.534693] dump_stack+0x1c4/0x2b4 [ 41.534698] ? dump_stack_print_info.cold.2+0x52/0x52 [ 41.534702] ? vprintk_func+0x85/0x181 [ 41.534707] print_circular_bug.isra.33.cold.54+0x1bd/0x27d [ 41.534711] ? save_trace+0xe0/0x290 [ 41.534715] __lock_acquire+0x33e4/0x4ec0 [ 41.534719] ? mark_held_locks+0x130/0x130 [ 41.534724] ? mark_held_locks+0x130/0x130 [ 41.534728] ? rcu_bh_qs+0xc0/0xc0 [ 41.534732] ? unwind_dump+0x190/0x190 [ 41.534736] ? is_bpf_text_address+0xd3/0x170 [ 41.534740] ? kernel_text_address+0x79/0xf0 [ 41.534746] ? __kernel_text_address+0xd/0x40 [ 41.534750] ? __save_stack_trace+0x8d/0xf0 [ 41.534755] ? add_lock_to_list.isra.26+0x1ec/0x4b0 [ 41.534759] ? save_trace+0x290/0x290 [ 41.534763] ? save_stack_trace+0x1a/0x20 [ 41.534767] ? save_trace+0xe0/0x290 [ 41.534771] ? kasan_check_read+0x11/0x20 [ 41.534775] ? graph_lock+0x170/0x170 [ 41.534780] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 41.534784] lock_acquire+0x1ed/0x520 [ 41.534788] ? down_trylock+0x13/0x70 [ 41.534793] ? find_held_lock+0x36/0x1c0 [ 41.534797] ? lock_release+0x970/0x970 [ 41.534801] ? trace_hardirqs_off+0xb8/0x310 [ 41.534805] ? vprintk_emit+0x1d3/0x930 [ 41.534810] ? trace_hardirqs_on+0x310/0x310 [ 41.534814] ? trace_hardirqs_off+0xb8/0x310 [ 41.534818] ? log_store+0x344/0x4c0 [ 41.534822] ? vprintk_emit+0x322/0x930 [ 41.534826] _raw_spin_lock_irqsave+0x99/0xd0 [ 41.534843] ? down_trylock+0x13/0x70 [ 41.534847] down_trylock+0x13/0x70 [ 41.534852] __down_trylock_console_sem+0xae/0x200 [ 41.534856] console_trylock+0x15/0xa0 [ 41.534859] vprintk_emit+0x322/0x930 [ 41.534875] ? wake_up_klogd+0x180/0x180 [ 41.534879] ? run_rebalance_domains+0x500/0x500 [ 41.534883] ? wake_up_worker+0x117/0x190 [ 41.534887] ? find_held_lock+0x36/0x1c0 [ 41.534891] ? __queue_work+0x6be/0x1440 [ 41.534895] ? lock_acquire+0x1ed/0x520 [ 41.534898] vprintk_default+0x28/0x30 [ 41.534902] vprintk_func+0x7e/0x181 [ 41.534906] printk+0xa7/0xcf [ 41.534910] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 41.534914] ? kasan_check_write+0x14/0x20 [ 41.534918] ? do_raw_spin_lock+0xc1/0x200 [ 41.534922] ? do_raw_spin_lock+0xc1/0x200 [ 41.534925] kasan_report+0x9b/0x110 [ 41.534929] ? __schedule+0xfc3/0x1ed0 [ 41.534933] __asan_report_load8_noabort+0x14/0x20 [ 41.534937] __schedule+0xfc3/0x1ed0 [ 41.534941] ? __sched_text_start+0x8/0x8 [ 41.534945] ? __lock_is_held+0xb5/0x140 [ 41.534950] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 41.534953] ? find_held_lock+0x36/0x1c0 [ 41.534957] ? __call_srcu+0x7f9/0x1070 [ 41.534962] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 41.534966] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 41.534970] ? lockdep_hardirqs_on+0x421/0x5c0 [ 41.534974] ? preempt_schedule+0x4d/0x60 [ 41.534998] preempt_schedule_common+0x1f/0xd0 [ 41.535002] preempt_schedule+0x4d/0x60 [ 41.535006] ___preempt_schedule+0x16/0x18 [ 41.535011] _raw_spin_unlock_irqrestore+0xbb/0xd0 [ 41.535015] __call_srcu+0x7f9/0x1070 [ 41.535020] ? _raw_spin_unlock_irqrestore+0x6d/0xd0 [ 41.535024] ? srcu_offline_cpu+0x120/0x120 [ 41.535028] ? debug_object_free+0x690/0x690 [ 41.535032] ? mark_held_locks+0x130/0x130 [ 41.535036] ? kvm_arch_destroy_vm+0x414/0x7c0 [ 41.535040] ? lock_release+0x970/0x970 [ 41.535045] ? arch_local_save_flags+0x40/0x40 [ 41.535049] ? depot_save_stack+0x292/0x470 [ 41.535053] ? __lockdep_init_map+0x105/0x590 [ 41.535057] ? __init_waitqueue_head+0x9e/0x150 [ 41.535062] ? init_wait_entry+0x1c0/0x1c0 [ 41.535066] __synchronize_srcu+0x17b/0x230 [ 41.535070] ? call_srcu+0x10/0x10 [ 41.535074] ? rcu_unexpedite_gp+0x20/0x20 [ 41.535078] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 41.535083] ? check_preemption_disabled+0x48/0x200 [ 41.535099] synchronize_srcu+0x356/0x5ab [ 41.535102] ? lock_downgrade+0x900/0x900 [ 41.535107] ? synchronize_srcu_expedited+0x20/0x20 [ 41.535111] ? kasan_check_read+0x11/0x20 [ 41.535115] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 41.535119] ? kasan_check_write+0x14/0x20 [ 41.535123] ? do_raw_spin_lock+0xc1/0x200 [ 41.535128] kvm_page_track_unregister_notifier+0x17d/0x250 [ 41.535133] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 41.535136] ? kvfree+0x61/0x70 [ 41.535140] ? rcu_read_lock_sched_held+0x108/0x120 [ 41.535144] kvm_mmu_uninit_vm+0x1c/0x20 [ 41.535160] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 41.535165] ? kvm_arch_sync_events+0x30/0x30 [ 41.535182] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 41.535186] ? mmu_notifier_unregister+0x474/0x600 [ 41.535190] ? kfree+0x107/0x230 [ 41.535195] ? __mmu_notifier_register+0x30/0x30 [ 41.535199] ? __free_pages+0x10a/0x190 [ 41.535203] ? free_unref_page+0x960/0x960 [ 41.535207] kvm_put_kvm+0x6c8/0xff0 [ 41.535212] ? kvm_write_guest_cached+0x40/0x40 [ 41.535228] ? kvm_irqfd_release+0xd1/0x120 [ 41.535233] ? _raw_spin_unlock_irq+0x27/0x80 [ 41.535237] ? _raw_spin_unlock_irq+0x27/0x80 [ 41.535248] ? kasan_check_write+0x14/0x20 [ 41.535252] ? do_raw_spin_lock+0xc1/0x200 [ 41.535269] ? kvm_irqfd_release+0xdd [ 41.535277] Lost 73 message(s)! [ 42.726667] Shutting down cpus with NMI [ 43.783584] Dumping ftrace buffer: [ 43.787107] (ftrace buffer empty) [ 43.791335] Kernel Offset: disabled [ 43.794960] Rebooting in 86400 seconds..