Warning: Permanently added '10.128.0.75' (ECDSA) to the list of known hosts. executing program [ 52.957141] audit: type=1400 audit(1572011535.876:36): avc: denied { map } for pid=7675 comm="syz-executor026" path="/root/syz-executor026499888" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 57.969627] ------------[ cut here ]------------ [ 57.975520] ODEBUG: free active (active state 0) object type: timer_list hint: rfcomm_dlc_timeout+0x0/0x80 [ 57.985529] WARNING: CPU: 1 PID: 7678 at lib/debugobjects.c:325 debug_print_object+0x168/0x250 [ 57.994281] Kernel panic - not syncing: panic_on_warn set ... [ 57.994281] [ 58.001636] CPU: 1 PID: 7678 Comm: syz-executor026 Not tainted 4.19.80 #0 [ 58.008551] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.018070] Call Trace: [ 58.020662] dump_stack+0x172/0x1f0 [ 58.024296] panic+0x26a/0x50e [ 58.027475] ? __warn_printk+0xf3/0xf3 [ 58.031358] ? debug_print_object+0x168/0x250 [ 58.035852] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 58.041550] ? __warn.cold+0x5/0x53 [ 58.045187] ? __warn+0xe8/0x1d0 [ 58.051494] ? debug_print_object+0x168/0x250 [ 58.055978] __warn.cold+0x20/0x53 [ 58.059527] ? trace_hardirqs_off+0x62/0x220 [ 58.064248] ? debug_print_object+0x168/0x250 [ 58.068764] report_bug+0x263/0x2b0 [ 58.072440] do_error_trap+0x204/0x360 [ 58.076329] ? math_error+0x340/0x340 [ 58.080124] ? wake_up_klogd+0x99/0xd0 [ 58.084005] ? vprintk_emit+0x1ab/0x690 [ 58.087984] ? error_entry+0x7c/0xe0 [ 58.091696] ? trace_hardirqs_off_caller+0x65/0x220 [ 58.097312] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 58.102332] do_invalid_op+0x1b/0x20 [ 58.106033] invalid_op+0x14/0x20 [ 58.109488] RIP: 0010:debug_print_object+0x168/0x250 [ 58.115886] Code: dd 60 4b 82 87 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 b5 00 00 00 48 8b 14 dd 60 4b 82 87 48 c7 c7 a0 40 82 87 e8 16 27 1a fe <0f> 0b 83 05 fb f4 18 06 01 48 83 c4 20 5b 41 5c 41 5d 41 5e 5d c3 [ 58.134866] RSP: 0018:ffff8880941178d8 EFLAGS: 00010086 [ 58.141096] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000 [ 58.148788] RDX: 0000000000000000 RSI: ffffffff81553f06 RDI: ffffed1012822f0d [ 58.156397] RBP: ffff888094117918 R08: ffff888092eda080 R09: ffffed1015d23ee3 [ 58.163664] R10: ffffed1015d23ee2 R11: ffff8880ae91f717 R12: 0000000000000001 [ 58.176473] R13: ffffffff887aaac0 R14: ffffffff815ab490 R15: ffff88809080e5a8 [ 58.183743] ? __internal_add_timer+0x1f0/0x1f0 [ 58.188402] ? vprintk_func+0x86/0x189 [ 58.192282] ? debug_print_object+0x168/0x250 [ 58.196781] debug_check_no_obj_freed+0x29f/0x464 [ 58.201630] kfree+0xbd/0x220 [ 58.204723] rfcomm_dlc_free+0x20/0x30 [ 58.208592] rfcomm_dev_ioctl+0x181f/0x1b60 [ 58.213006] ? __local_bh_enable_ip+0x15a/0x270 [ 58.217677] ? lock_sock_nested+0xe2/0x120 [ 58.222010] ? __local_bh_enable_ip+0x15a/0x270 [ 58.226679] ? rfcomm_dev_state_change+0x150/0x150 [ 58.231595] ? __local_bh_enable_ip+0x15a/0x270 [ 58.236511] rfcomm_sock_ioctl+0x90/0xb0 [ 58.240568] sock_do_ioctl+0xd8/0x2f0 [ 58.244366] ? compat_ifr_data_ioctl+0x160/0x160 [ 58.249130] ? __lock_acquire+0x6ee/0x49c0 [ 58.253363] ? rcu_read_lock_sched_held+0x110/0x130 [ 58.258381] ? kmem_cache_alloc+0x32a/0x700 [ 58.263134] sock_ioctl+0x325/0x610 [ 58.266764] ? dlci_ioctl_set+0x40/0x40 [ 58.270739] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 58.276271] ? __might_sleep+0x95/0x190 [ 58.280245] ? find_held_lock+0x35/0x130 [ 58.284566] ? dlci_ioctl_set+0x40/0x40 [ 58.288876] do_vfs_ioctl+0xd5f/0x1380 [ 58.292750] ? selinux_file_ioctl+0x46f/0x5e0 [ 58.297319] ? selinux_file_ioctl+0x125/0x5e0 [ 58.301798] ? ioctl_preallocate+0x210/0x210 [ 58.306193] ? selinux_file_mprotect+0x620/0x620 [ 58.310939] ? __sanitizer_cov_trace_cmp1+0xb/0x20 [ 58.315859] ? __fd_install+0x200/0x640 [ 58.319828] ? fd_install+0x4d/0x60 [ 58.323455] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 58.328989] ? security_file_ioctl+0x8d/0xc0 [ 58.333401] ksys_ioctl+0xab/0xd0 [ 58.336842] __x64_sys_ioctl+0x73/0xb0 [ 58.340716] do_syscall_64+0xfd/0x620 [ 58.344522] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 58.349730] RIP: 0033:0x441229 [ 58.352907] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 58.371796] RSP: 002b:00007fff1287edd8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 58.379682] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441229 [ 58.386934] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000004 [ 58.394200] RBP: 000000000000e250 R08: 00000000004002c8 R09: 00000000004002c8 [ 58.401540] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402050 [ 58.408932] R13: 00000000004020e0 R14: 0000000000000000 R15: 0000000000000000 [ 58.416203] [ 58.416207] ====================================================== [ 58.416211] WARNING: possible circular locking dependency detected [ 58.416213] 4.19.80 #0 Not tainted [ 58.416216] ------------------------------------------------------ [ 58.416219] syz-executor026/7678 is trying to acquire lock: [ 58.416222] 00000000ccf37b4a ((console_sem).lock){-...}, at: down_trylock+0x13/0x70 [ 58.416231] [ 58.416233] but task is already holding lock: [ 58.416235] 0000000023ed7515 (&obj_hash[i].lock){-.-.}, at: debug_check_no_obj_freed+0xbe/0x464 [ 58.416244] [ 58.416247] which lock already depends on the new lock. [ 58.416248] [ 58.416249] [ 58.416253] the existing dependency chain (in reverse order) is: [ 58.416254] [ 58.416255] -> #3 (&obj_hash[i].lock){-.-.}: [ 58.416264] _raw_spin_lock_irqsave+0x95/0xcd [ 58.416266] __debug_object_init+0xc6/0xc30 [ 58.416269] debug_object_init+0x16/0x20 [ 58.416271] hrtimer_init+0x2a/0x300 [ 58.416273] init_dl_task_timer+0x1b/0x50 [ 58.416276] __sched_fork+0x22a/0x4b0 [ 58.416278] init_idle+0x75/0x800 [ 58.416280] sched_init+0x952/0x9f0 [ 58.416282] start_kernel+0x402/0x8c5 [ 58.416285] x86_64_start_reservations+0x29/0x2b [ 58.416288] x86_64_start_kernel+0x77/0x7b [ 58.416290] secondary_startup_64+0xa4/0xb0 [ 58.416291] [ 58.416293] -> #2 (&rq->lock){-.-.}: [ 58.416301] _raw_spin_lock+0x2f/0x40 [ 58.416303] task_fork_fair+0x6a/0x520 [ 58.416305] sched_fork+0x3af/0x900 [ 58.416308] copy_process.part.0+0x1859/0x7a30 [ 58.416310] _do_fork+0x257/0xfd0 [ 58.416312] kernel_thread+0x34/0x40 [ 58.416314] rest_init+0x24/0x222 [ 58.416316] start_kernel+0x88c/0x8c5 [ 58.416319] x86_64_start_reservations+0x29/0x2b [ 58.416322] x86_64_start_kernel+0x77/0x7b [ 58.416324] secondary_startup_64+0xa4/0xb0 [ 58.416325] [ 58.416327] -> #1 (&p->pi_lock){-.-.}: [ 58.416335] _raw_spin_lock_irqsave+0x95/0xcd [ 58.416337] try_to_wake_up+0x94/0xf50 [ 58.416339] wake_up_process+0x10/0x20 [ 58.416342] __up.isra.0+0x136/0x1a0 [ 58.416344] up+0x9c/0xe0 [ 58.416346] __up_console_sem+0xb7/0x1c0 [ 58.416349] console_unlock+0x6c7/0x10b0 [ 58.416351] vprintk_emit+0x238/0x690 [ 58.416353] vprintk_default+0x28/0x30 [ 58.416356] vprintk_func+0x7e/0x189 [ 58.416358] printk+0xba/0xed [ 58.416360] kauditd_hold_skb.cold+0x3f/0x4e [ 58.416363] kauditd_send_queue+0x12b/0x170 [ 58.416365] kauditd_thread+0x732/0xa60 [ 58.416367] kthread+0x354/0x420 [ 58.416369] ret_from_fork+0x24/0x30 [ 58.416371] [ 58.416372] -> #0 ((console_sem).lock){-...}: [ 58.416380] lock_acquire+0x16f/0x3f0 [ 58.416383] _raw_spin_lock_irqsave+0x95/0xcd [ 58.416385] down_trylock+0x13/0x70 [ 58.416387] __down_trylock_console_sem+0xa8/0x210 [ 58.416390] console_trylock+0x15/0xa0 [ 58.416392] vprintk_emit+0x21d/0x690 [ 58.416395] vprintk_default+0x28/0x30 [ 58.416397] vprintk_func+0x7e/0x189 [ 58.416399] printk+0xba/0xed [ 58.416401] __warn_printk+0x9b/0xf3 [ 58.416404] debug_print_object+0x168/0x250 [ 58.416407] debug_check_no_obj_freed+0x29f/0x464 [ 58.416409] kfree+0xbd/0x220 [ 58.416412] rfcomm_dlc_free+0x20/0x30 [ 58.416414] rfcomm_dev_ioctl+0x181f/0x1b60 [ 58.416417] rfcomm_sock_ioctl+0x90/0xb0 [ 58.416419] sock_do_ioctl+0xd8/0x2f0 [ 58.416421] sock_ioctl+0x325/0x610 [ 58.416424] do_vfs_ioctl+0xd5f/0x1380 [ 58.416426] ksys_ioctl+0xab/0xd0 [ 58.416428] __x64_sys_ioctl+0x73/0xb0 [ 58.416431] do_syscall_64+0xfd/0x620 [ 58.416434] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 58.416435] [ 58.416438] other info that might help us debug this: [ 58.416439] [ 58.416441] Chain exists of: [ 58.416442] (console_sem).lock --> &rq->lock --> &obj_hash[i].lock [ 58.416452] [ 58.416455] Possible unsafe locking scenario: [ 58.416456] [ 58.416458] CPU0 CPU1 [ 58.416461] ---- ---- [ 58.416462] lock(&obj_hash[i].lock); [ 58.416468] lock(&rq->lock); [ 58.416473] lock(&obj_hash[i].lock); [ 58.416477] lock((console_sem).lock); [ 58.416482] [ 58.416485] *** DEADLOCK *** [ 58.416487] [ 58.416491] 3 locks held by syz-executor026/7678: [ 58.416493] #0: 000000003747e874 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}, at: rfcomm_sock_ioctl+0x82/0xb0 [ 58.416510] #1: 000000000fad7f81 (rfcomm_ioctl_mutex){+.+.}, at: rfcomm_dev_ioctl+0x4f0/0x1b60 [ 58.416527] #2: 0000000023ed7515 (&obj_hash[i].lock){-.-.}, at: debug_check_no_obj_freed+0xbe/0x464 [ 58.416542] [ 58.416544] stack backtrace: [ 58.416547] CPU: 1 PID: 7678 Comm: syz-executor026 Not tainted 4.19.80 #0 [ 58.416551] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.416553] Call Trace: [ 58.416555] dump_stack+0x172/0x1f0 [ 58.416563] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 58.416566] __lock_acquire+0x2e19/0x49c0 [ 58.416568] ? mark_held_locks+0x100/0x100 [ 58.416570] ? kvm_clock_read+0x18/0x30 [ 58.416573] ? kvm_sched_clock_read+0x9/0x20 [ 58.416575] lock_acquire+0x16f/0x3f0 [ 58.416577] ? down_trylock+0x13/0x70 [ 58.416580] _raw_spin_lock_irqsave+0x95/0xcd [ 58.416582] ? down_trylock+0x13/0x70 [ 58.416584] ? vprintk_emit+0x21d/0x690 [ 58.416586] down_trylock+0x13/0x70 [ 58.416589] ? vprintk_emit+0x21d/0x690 [ 58.416591] __down_trylock_console_sem+0xa8/0x210 [ 58.416594] console_trylock+0x15/0xa0 [ 58.416596] vprintk_emit+0x21d/0x690 [ 58.416598] ? __internal_add_timer+0x1f0/0x1f0 [ 58.416601] vprintk_default+0x28/0x30 [ 58.416603] vprintk_func+0x7e/0x189 [ 58.416605] printk+0xba/0xed [ 58.416607] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 58.416610] ? __warn_printk+0x8f/0xf3 [ 58.416612] ? rfcomm_session_add+0x300/0x300 [ 58.416614] __warn_printk+0x9b/0xf3 [ 58.416616] ? add_taint.cold+0x16/0x16 [ 58.416619] ? skb_dequeue+0x12e/0x180 [ 58.416621] ? rfcomm_session_add+0x300/0x300 [ 58.416624] debug_print_object+0x168/0x250 [ 58.416626] debug_check_no_obj_freed+0x29f/0x464 [ 58.416628] kfree+0xbd/0x220 [ 58.416631] rfcomm_dlc_free+0x20/0x30 [ 58.416633] rfcomm_dev_ioctl+0x181f/0x1b60 [ 58.416636] ? __local_bh_enable_ip+0x15a/0x270 [ 58.416638] ? lock_sock_nested+0xe2/0x120 [ 58.416640] ? __local_bh_enable_ip+0x15a/0x270 [ 58.416647] ? rfcomm_dev_state_change+0x150/0x150 [ 58.416650] ? __local_bh_enable_ip+0x15a/0x270 [ 58.416652] rfcomm_sock_ioctl+0x90/0xb0 [ 58.416655] sock_do_ioctl+0xd8/0x2f0 [ 58.416657] ? compat_ifr_data_ioctl+0x160/0x160 [ 58.416660] ? __lock_acquire+0x6ee/0x49c0 [ 58.416663] ? rcu_read_lock_sched_held+0x110/0x130 [ 58.416665] ? kmem_cache_alloc+0x32a/0x700 [ 58.416667] sock_ioctl+0x325/0x610 [ 58.416670] ? dlci_ioctl_set+0x40/0x40 [ 58.416673] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 58.416675] ? __might_sleep+0x95/0x190 [ 58.416678] ? find_held_lock+0x35/0x130 [ 58.416680] ? dlci_ioctl_set+0x40/0x40 [ 58.416682] do_vfs_ioctl+0xd5f/0x1380 [ 58.416685] ? selinux_file_ioctl+0x46f/0x5e0 [ 58.416688] ? selinux_file_ioctl+0x125/0x5e0 [ 58.416690] ? ioctl_preallocate+0x210/0x210 [ 58.416693] ? selinux_file_mprotect+0x620/0x620 [ 58.416695] ? __sanitizer_cov_trace_cmp1+0xb/0x20 [ 58.416698] ? __fd_install+0x200/0x640 [ 58.416700] ? fd_install+0x4d/0x60 [ 58.416703] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 58.416705] ? security_file_ioctl+0x8d/0xc0 [ 58.416708] ksys_ioctl+0xab/0xd0 [ 58.416710] __x64_sys_ioctl+0x73/0xb0 [ 58.416712] do_syscall_64+0xfd/0x620 [ 58.416715] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 58.416717] RIP: 0033:0x441229 [ 58.416726] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 58.416729] RSP: 002b:00007fff1287edd8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 58.416735] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441229 [ 58.416738] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000004 [ 58.416742] RBP: 000000000000e250 R08: 00000000004002c8 R09: 00000000004002c8 [ 58.416746] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402050 [ 58.416749] R13: 00000000004020e0 R14: 0000000000000000 R15: 0000000000000000 [ 58.418306] Kernel Offset: disabled [ 59.245885] Rebooting in 86400 seconds..