[   36.079846] audit: type=1800 audit(1583872188.666:33): pid=7270 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0
[   36.103018] audit: type=1800 audit(1583872188.676:34): pid=7270 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   39.351579] random: sshd: uninitialized urandom read (32 bytes read)
[   39.692531] audit: type=1400 audit(1583872192.286:35): avc:  denied  { map } for  pid=7443 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   39.747600] random: sshd: uninitialized urandom read (32 bytes read)
[   40.501795] random: sshd: uninitialized urandom read (32 bytes read)
[   43.411209] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.197' (ECDSA) to the list of known hosts.
[   48.973669] random: sshd: uninitialized urandom read (32 bytes read)
[   49.098865] audit: type=1400 audit(1583872201.686:36): avc:  denied  { map } for  pid=7455 comm="syz-executor229" path="/root/syz-executor229997541" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   49.371093] IPVS: ftp: loaded support on port[0] = 21
executing program
[   50.146983] audit: type=1400 audit(1583872202.736:37): avc:  denied  { create } for  pid=7456 comm="syz-executor229" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[   50.171206] audit: type=1400 audit(1583872202.736:38): avc:  denied  { write } for  pid=7456 comm="syz-executor229" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[   50.177980] ODEBUG: activate active (active state 1) object type: rcu_head hint:           (null)
[   50.195352] audit: type=1400 audit(1583872202.736:39): avc:  denied  { read } for  pid=7456 comm="syz-executor229" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[   50.204251] ------------[ cut here ]------------
[   50.232779] WARNING: CPU: 1 PID: 7457 at lib/debugobjects.c:287 debug_print_object.cold+0xa7/0xdb
[   50.241794] Kernel panic - not syncing: panic_on_warn set ...
[   50.241794] 
[   50.249150] CPU: 1 PID: 7457 Comm: syz-executor229 Not tainted 4.14.172-syzkaller #0
[   50.257046] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   50.266385] Call Trace:
[   50.268961]  dump_stack+0x13e/0x194
[   50.272610]  panic+0x1f9/0x42d
[   50.275782]  ? add_taint.cold+0x16/0x16
[   50.279738]  ? debug_print_object.cold+0xa7/0xdb
[   50.284499]  ? debug_print_object.cold+0xa7/0xdb
[   50.289367]  __warn.cold+0x2f/0x30
[   50.292926]  ? ist_end_non_atomic+0x10/0x10
[   50.297224]  ? debug_print_object.cold+0xa7/0xdb
[   50.301964]  report_bug+0x20a/0x248
[   50.305580]  do_error_trap+0x195/0x2d0
[   50.309448]  ? math_error+0x2d0/0x2d0
[   50.313230]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   50.318057]  invalid_op+0x1b/0x40
[   50.321507] RIP: 0010:debug_print_object.cold+0xa7/0xdb
[   50.326848] RSP: 0018:ffff8880956a7430 EFLAGS: 00010082
[   50.332192] RAX: 0000000000000055 RBX: 0000000000000003 RCX: 0000000000000000
[   50.339545] RDX: 0000000000000000 RSI: ffffffff86ac0860 RDI: ffffed1012ad4e7c
[   50.346885] RBP: ffffffff86ab5f60 R08: 0000000000000055 R09: 0000000000000000
[   50.354135] R10: fffffbfff14a8ce0 R11: ffff8880a42461c0 R12: 0000000000000000
[   50.361387] R13: 0000000000000001 R14: 1ffff11012ad4e90 R15: ffffffff87d842c0
[   50.368654]  debug_object_activate+0x307/0x450
[   50.373223]  ? debug_object_free+0x390/0x390
[   50.377623]  ? find_held_lock+0x2d/0x110
[   50.381685]  ? route4_walk+0x450/0x450
[   50.385570]  __call_rcu.constprop.0+0x31/0x7e0
[   50.390153]  route4_change+0xb27/0x1c4d
[   50.394155]  ? route4_delete+0x760/0x760
[   50.398204]  ? route4_delete+0x760/0x760
[   50.402247]  tc_ctl_tfilter+0xf13/0x18e6
[   50.406303]  ? tfilter_notify+0x240/0x240
[   50.410433]  ? mutex_trylock+0x1a0/0x1a0
[   50.414495]  ? rtnetlink_rcv_msg+0x2e8/0xb10
[   50.418905]  ? tfilter_notify+0x240/0x240
[   50.423039]  rtnetlink_rcv_msg+0x3be/0xb10
[   50.427255]  ? rtnl_bridge_getlink+0x7a0/0x7a0
[   50.431819]  ? save_trace+0x290/0x290
[   50.435599]  ? save_trace+0x290/0x290
[   50.439382]  netlink_rcv_skb+0x127/0x370
[   50.443470]  ? rtnl_bridge_getlink+0x7a0/0x7a0
[   50.448038]  ? netlink_ack+0x960/0x960
[   50.451912]  netlink_unicast+0x437/0x620
[   50.455996]  ? netlink_attachskb+0x600/0x600
[   50.460659]  netlink_sendmsg+0x733/0xbe0
[   50.464746]  ? netlink_unicast+0x620/0x620
[   50.468966]  ? SYSC_sendto+0x2b0/0x2b0
[   50.472857]  ? security_socket_sendmsg+0x83/0xb0
[   50.477637]  ? netlink_unicast+0x620/0x620
[   50.481851]  sock_sendmsg+0xc5/0x100
[   50.485576]  ___sys_sendmsg+0x70a/0x840
[   50.489541]  ? trace_hardirqs_on+0x10/0x10
[   50.493757]  ? copy_msghdr_from_user+0x380/0x380
[   50.498496]  ? find_held_lock+0x2d/0x110
[   50.502542]  ? lock_downgrade+0x6e0/0x6e0
[   50.506669]  ? __fget+0x228/0x360
[   50.510101]  ? __fget_light+0x199/0x1f0
[   50.514056]  ? sockfd_lookup_light+0xb2/0x160
[   50.518542]  __sys_sendmsg+0xa3/0x120
[   50.522357]  ? SyS_shutdown+0x160/0x160
[   50.526317]  ? move_addr_to_kernel+0x60/0x60
[   50.530702]  ? __do_page_fault+0x35b/0xb40
[   50.534913]  SyS_sendmsg+0x27/0x40
[   50.538435]  ? __sys_sendmsg+0x120/0x120
[   50.542478]  do_syscall_64+0x1d5/0x640
[   50.546353]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   50.551556] RIP: 0033:0x4473e9
[   50.554726] RSP: 002b:00007fde9f58bd98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   50.562904] RAX: ffffffffffffffda RBX: 00000000006dcc68 RCX: 00000000004473e9
[   50.570172] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003
[   50.577424] RBP: 00000000006dcc60 R08: 0000000000000000 R09: 0000000000000000
[   50.584674] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc6c
[   50.591923] R13: 0000000000000005 R14: 00a3a20740000000 R15: 0507002400000038
[   50.599178] 
[   50.599180] ======================================================
[   50.599181] WARNING: possible circular locking dependency detected
[   50.599183] 4.14.172-syzkaller #0 Not tainted
[   50.599184] ------------------------------------------------------
[   50.599186] syz-executor229/7457 is trying to acquire lock:
[   50.599187]  ((console_sem).lock){-...}, at: [<ffffffff81452f6e>] down_trylock+0xe/0x60
[   50.599191] 
[   50.599192] but task is already holding lock:
[   50.599193]  (&obj_hash[i].lock){-.-.}, at: [<ffffffff82fe14fb>] debug_object_activate+0x10b/0x450
[   50.599197] 
[   50.599198] which lock already depends on the new lock.
[   50.599199] 
[   50.599199] 
[   50.599201] the existing dependency chain (in reverse order) is:
[   50.599202] 
[   50.599202] -> #5 (&obj_hash[i].lock){-.-.}:
[   50.599207]        _raw_spin_lock_irqsave+0x8c/0xbf
[   50.599208]        debug_object_activate+0x10b/0x450
[   50.599209]        enqueue_hrtimer+0x22/0x3b0
[   50.599211]        hrtimer_start_range_ns+0x4e6/0x1060
[   50.599212]        schedule_hrtimeout_range_clock+0x13c/0x2f0
[   50.599213]        wait_task_inactive+0x478/0x530
[   50.599215]        __kthread_bind_mask+0x1f/0xb0
[   50.599216]        create_worker+0x313/0x530
[   50.599217]        workqueue_init+0x55f/0x66e
[   50.599218]        kernel_init_freeable+0x2ab/0x526
[   50.599219]        kernel_init+0xd/0x15b
[   50.599220]        ret_from_fork+0x24/0x30
[   50.599221] 
[   50.599222] -> #4 (hrtimer_bases.lock){-.-.}:
[   50.599226]        _raw_spin_lock_irqsave+0x8c/0xbf
[   50.599227]        lock_hrtimer_base.isra.0+0x6d/0x120
[   50.599228]        hrtimer_start_range_ns+0x7b/0x1060
[   50.599230]        enqueue_task_rt+0x94d/0xdb0
[   50.599231]        __sched_setscheduler.constprop.0+0xc11/0x1f70
[   50.599232]        _sched_setscheduler+0xf9/0x150
[   50.599233]        watchdog_enable+0xff/0x150
[   50.599235]        smpboot_thread_fn+0x40d/0x920
[   50.599236]        kthread+0x30d/0x420
[   50.599237]        ret_from_fork+0x24/0x30
[   50.599237] 
[   50.599238] -> #3 (&rt_b->rt_runtime_lock){-.-.}:
[   50.599242]        _raw_spin_lock+0x2a/0x40
[   50.599243]        enqueue_task_rt+0x508/0xdb0
[   50.599245]        __sched_setscheduler.constprop.0+0xc11/0x1f70
[   50.599246]        _sched_setscheduler+0xf9/0x150
[   50.599247]        watchdog_enable+0xff/0x150
[   50.599248]        smpboot_thread_fn+0x40d/0x920
[   50.599249]        kthread+0x30d/0x420
[   50.599251]        ret_from_fork+0x24/0x30
[   50.599251] 
[   50.599252] -> #2 (&rq->lock){-.-.}:
[   50.599256]        _raw_spin_lock+0x2a/0x40
[   50.599257]        task_fork_fair+0x63/0x5b0
[   50.599258]        sched_fork+0x39a/0xbd0
[   50.599259]        copy_process.part.0+0x15b7/0x6a70
[   50.599260]        _do_fork+0x180/0xc80
[   50.599261]        kernel_thread+0x2f/0x40
[   50.599262]        rest_init+0x1f/0x1d2
[   50.599264]        start_kernel+0x659/0x676
[   50.599265]        secondary_startup_64+0xa5/0xb0
[   50.599265] 
[   50.599266] -> #1 (&p->pi_lock){-.-.}:
[   50.599270]        _raw_spin_lock_irqsave+0x8c/0xbf
[   50.599271]        try_to_wake_up+0x6a/0xef0
[   50.599272]        up+0x92/0xe0
[   50.599273]        __up_console_sem+0xa9/0x1b0
[   50.599275]        console_unlock+0x596/0xec0
[   50.599276]        vprintk_emit+0x1f8/0x600
[   50.599277]        vprintk_func+0x58/0x152
[   50.599278]        printk+0x9e/0xbc
[   50.599279]        kauditd_hold_skb.cold+0x3e/0x4d
[   50.599280]        kauditd_send_queue+0xfb/0x140
[   50.599282]        kauditd_thread+0x625/0x840
[   50.599283]        kthread+0x30d/0x420
[   50.599284]        ret_from_fork+0x24/0x30
[   50.599284] 
[   50.599285] -> #0 ((console_sem).lock){-...}:
[   50.599289]        lock_acquire+0x170/0x3f0
[   50.599290]        _raw_spin_lock_irqsave+0x8c/0xbf
[   50.599291]        down_trylock+0xe/0x60
[   50.599293]        __down_trylock_console_sem+0x97/0x1f0
[   50.599294]        console_trylock+0x14/0x70
[   50.599295]        vprintk_emit+0x1ea/0x600
[   50.599296]        vprintk_func+0x58/0x152
[   50.599297]        printk+0x9e/0xbc
[   50.599299]        debug_print_object.cold+0xa7/0xdb
[   50.599300]        debug_object_activate+0x307/0x450
[   50.599301]        __call_rcu.constprop.0+0x31/0x7e0
[   50.599302]        route4_change+0xb27/0x1c4d
[   50.599303]        tc_ctl_tfilter+0xf13/0x18e6
[   50.599304]        rtnetlink_rcv_msg+0x3be/0xb10
[   50.599306]        netlink_rcv_skb+0x127/0x370
[   50.599307]        netlink_unicast+0x437/0x620
[   50.599308]        netlink_sendmsg+0x733/0xbe0
[   50.599309]        sock_sendmsg+0xc5/0x100
[   50.599310]        ___sys_sendmsg+0x70a/0x840
[   50.599311]        __sys_sendmsg+0xa3/0x120
[   50.599313]        SyS_sendmsg+0x27/0x40
[   50.599314]        do_syscall_64+0x1d5/0x640
[   50.599315]        entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   50.599316] 
[   50.599317] other info that might help us debug this:
[   50.599318] 
[   50.599319] Chain exists of:
[   50.599319]   (console_sem).lock --> hrtimer_bases.lock --> &obj_hash[i].lock
[   50.599325] 
[   50.599326]  Possible unsafe locking scenario:
[   50.599327] 
[   50.599328]        CPU0                    CPU1
[   50.599329]        ----                    ----
[   50.599330]   lock(&obj_hash[i].lock);
[   50.599332]                                lock(hrtimer_bases.lock);
[   50.599335]                                lock(&obj_hash[i].lock);
[   50.599338]   lock((console_sem).lock);
[   50.599340] 
[   50.599341]  *** DEADLOCK ***
[   50.599342] 
[   50.599343] 2 locks held by syz-executor229/7457:
[   50.599343]  #0:  (rtnl_mutex){+.+.}, at: [<ffffffff850266dd>] rtnetlink_rcv_msg+0x31d/0xb10
[   50.599348]  #1:  (&obj_hash[i].lock){-.-.}, at: [<ffffffff82fe14fb>] debug_object_activate+0x10b/0x450
[   50.599352] 
[   50.599353] stack backtrace:
[   50.599355] CPU: 1 PID: 7457 Comm: syz-executor229 Not tainted 4.14.172-syzkaller #0
[   50.599357] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   50.599358] Call Trace:
[   50.599359]  dump_stack+0x13e/0x194
[   50.599360]  print_circular_bug.isra.0.cold+0x1c4/0x282
[   50.599361]  __lock_acquire+0x2cb3/0x4620
[   50.599362]  ? string+0x17e/0x1d0
[   50.599364]  ? trace_hardirqs_on+0x10/0x10
[   50.599365]  ? netdev_bits+0xa0/0xa0
[   50.599366]  ? kvm_clock_read+0x1f/0x30
[   50.599367]  ? kvm_sched_clock_read+0x5/0x10
[   50.599368]  lock_acquire+0x170/0x3f0
[   50.599369]  ? down_trylock+0xe/0x60
[   50.599370]  _raw_spin_lock_irqsave+0x8c/0xbf
[   50.599371]  ? down_trylock+0xe/0x60
[   50.599372]  down_trylock+0xe/0x60
[   50.599374]  ? vprintk_emit+0x1ea/0x600
[   50.599375]  __down_trylock_console_sem+0x97/0x1f0
[   50.599376]  console_trylock+0x14/0x70
[   50.599377]  vprintk_emit+0x1ea/0x600
[   50.599378]  vprintk_func+0x58/0x152
[   50.599379]  printk+0x9e/0xbc
[   50.599380]  ? show_regs_print_info+0x5b/0x5b
[   50.599381]  ? lock_acquire+0x170/0x3f0
[   50.599383]  ? debug_object_activate+0x10b/0x450
[   50.599384]  debug_print_object.cold+0xa7/0xdb
[   50.599385]  debug_object_activate+0x307/0x450
[   50.599386]  ? debug_object_free+0x390/0x390
[   50.599387]  ? find_held_lock+0x2d/0x110
[   50.599388]  ? route4_walk+0x450/0x450
[   50.599390]  __call_rcu.constprop.0+0x31/0x7e0
[   50.599391]  route4_change+0xb27/0x1c4d
[   50.599392]  ? route4_delete+0x760/0x760
[   50.599393]  ? route4_delete+0x760/0x760
[   50.599394]  tc_ctl_tfilter+0xf13/0x18e6
[   50.599395]  ? tfilter_notify+0x240/0x240
[   50.599397]  ? mutex_trylock+0x1a0/0x1a0
[   50.599398]  ? rtnetlink_rcv_msg+0x2e8/0xb10
[   50.599399]  ? tfilter_notify+0x240/0x240
[   50.599400]  rtnetlink_rcv_msg+0x3be/0xb10
[   50.599401]  ? rtnl_bridge_getlink+0x7a0/0x7a0
[   50.599402]  ? save_trace+0x290/0x290
[   50.599403]  ? save_trace+0x290/0x290
[   50.599405]  netlink_rcv_skb+0x127/0x370
[   50.599406]  ? rtnl_bridge_getlink+0x7a0/0x7a0
[   50.599407]  ? netlink_ack+0x960/0x960
[   50.599408]  netlink_unicast+0x437/0x620
[   50.599409]  ? netlink_attachskb+0x600/0x600
[   50.599410]  netlink_sendmsg+0x733/0xbe0
[   50.599411]  ? netlink_unicast+0x620/0x620
[   50.599413]  ? SYSC_sendto+0x2b0/0x2b0
[   50.599414]  ? security_socket_sendmsg+0x83/0xb0
[   50.599415]  ? netlink_unicast+0x620/0x620
[   50.599416]  sock_sendmsg+0xc5/0x100
[   50.599417]  ___sys_sendmsg+0x70a/0x840
[   50.599418]  ? trace_hardirqs_on+0x10/0x10
[   50.599420]  ? copy_msghdr_from_user+0x380/0x380
[   50.599421]  ? find_held_lock+0x2d/0x110
[   50.599422]  ? lock_downgrade+0x6e0/0x6e0
[   50.599423]  ? __fget+0x228/0x360
[   50.599424]  ? __fget_light+0x199/0x1f0
[   50.599425]  ? sockfd_lookup_light+0xb2/0x160
[   50.599426]  __sys_sendmsg+0xa3/0x120
[   50.599428]  ? SyS_shutdown+0x160/0x160
[   50.599429]  ? move_addr_to_kernel+0x60/0x60
[   50.599430]  ? __do_page_fault+0x35b/0xb40
[   50.599431]  SyS_sendmsg+0x27/0x40
[   50.599432]  ? __sys_sendmsg+0x120/0x120
[   50.599433]  do_syscall_64+0x1d5/0x640
[   50.599435]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   50.599436] RIP: 0033:0x4473e9
[   50.599437] RSP: 002b:00007fde9f58bd98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   50.599440] RAX: ffffffffffffffda RBX: 00000000006dcc68 RCX: 00000000004473e9
[   50.599442] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003
[   50.599443] RBP: 00000000006dcc60 R08: 0000000000000000 R09: 0000000000000000
[   50.599445] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc6c
[   50.599447] R13: 0000000000000005 R14: 00a3a20740000000 R15: 0507002400000038
[   50.600654] Kernel Offset: disabled
[   51.486397] Rebooting in 86400 seconds..