[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.042062] audit: type=1400 audit(1518491978.365:6): avc: denied { map } for pid=4149 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 19.072598] sshd (4147) used greatest stack depth: 16800 bytes left Warning: Permanently added '10.128.15.208' (ECDSA) to the list of known hosts. executing program [ 25.382816] audit: type=1400 audit(1518491984.706:7): avc: denied { map } for pid=4163 comm="syzkaller832372" path="/root/syzkaller832372884" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 25.411893] ------------[ cut here ]------------ [ 25.417429] ODEBUG: free active (active state 0) object type: timer_list hint: led_timeout_callback+0x0/0x20 [ 25.427440] WARNING: CPU: 1 PID: 4163 at lib/debugobjects.c:291 debug_print_object+0x166/0x220 [ 25.436160] Kernel panic - not syncing: panic_on_warn set ... [ 25.436160] [ 25.443498] CPU: 1 PID: 4163 Comm: syzkaller832372 Not tainted 4.16.0-rc1+ #310 [ 25.450915] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.460241] Call Trace: [ 25.462803] dump_stack+0x194/0x257 [ 25.466402] ? arch_local_irq_restore+0x53/0x53 [ 25.471050] ? vsnprintf+0x1ed/0x1900 [ 25.474825] panic+0x1e4/0x41c [ 25.477988] ? refcount_error_report+0x214/0x214 [ 25.482719] ? show_regs_print_info+0x18/0x18 [ 25.487195] ? __warn+0x1c1/0x200 [ 25.490624] ? debug_print_object+0x166/0x220 [ 25.495092] __warn+0x1dc/0x200 [ 25.498343] ? debug_print_object+0x166/0x220 [ 25.502810] report_bug+0x211/0x2d0 [ 25.506412] fixup_bug.part.11+0x37/0x80 [ 25.510445] do_error_trap+0x2d7/0x3e0 [ 25.514302] ? vprintk_default+0x28/0x30 [ 25.518333] ? math_error+0x400/0x400 [ 25.522108] ? printk+0xaa/0xca [ 25.525360] ? show_regs_print_info+0x18/0x18 [ 25.529826] ? lock_release+0xa40/0xa40 [ 25.533775] ? __internal_add_timer+0x2d0/0x2d0 [ 25.538417] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 25.543234] ? __internal_add_timer+0x2d0/0x2d0 [ 25.547875] do_invalid_op+0x1b/0x20 [ 25.551563] invalid_op+0x22/0x40 [ 25.554987] RIP: 0010:debug_print_object+0x166/0x220 [ 25.560058] RSP: 0018:ffff8801b83f7630 EFLAGS: 00010082 [ 25.565391] RAX: dffffc0000000008 RBX: 0000000000000003 RCX: ffffffff815aaf5e [ 25.572632] RDX: 0000000000000000 RSI: 1ffff1003707ee76 RDI: 1ffff1003707ee4b [ 25.579873] RBP: ffff8801b83f7670 R08: 0000000000000000 R09: 1ffff1003707ee1d [ 25.587116] R10: ffffed003707eef5 R11: ffffffff86b39478 R12: 0000000000000001 [ 25.594356] R13: ffffffff86b4ace0 R14: ffffffff86007c60 R15: ffffffff815fd9c0 [ 25.601608] ? __internal_add_timer+0x2d0/0x2d0 [ 25.606253] ? vprintk_func+0x5e/0xc0 [ 25.610041] debug_check_no_obj_freed+0x662/0xf1f [ 25.614866] ? free_obj_work+0x690/0x690 [ 25.618898] ? up_read+0x40/0x40 [ 25.622235] ? wait_for_completion+0x770/0x770 [ 25.626789] ? up_read+0x1a/0x40 [ 25.630128] ? __lock_is_held+0xb6/0x140 [ 25.634163] ? debug_check_no_locks_freed+0x264/0x3c0 [ 25.639329] kfree+0xc7/0x260 [ 25.642408] led_tg_destroy+0x28a/0x3f0 [ 25.646360] ? state_mt+0x100/0x100 [ 25.649961] ? cleanup_match+0x198/0x220 [ 25.653995] ? hmark_tg_v4+0xfa0/0xfa0 [ 25.657859] ? hmark_tg_v4+0xfa0/0xfa0 [ 25.661721] cleanup_entry+0x218/0x350 [ 25.665581] ? cleanup_match+0x220/0x220 [ 25.669613] ? trace_event_raw_event_sched_switch+0x810/0x810 [ 25.675471] ? find_next_bit+0x32/0x100 [ 25.679420] __do_replace+0x79d/0xa50 [ 25.683203] ? compat_table_info+0x470/0x470 [ 25.687591] ? kasan_check_write+0x14/0x20 [ 25.691800] ? _copy_from_user+0x99/0x110 [ 25.695923] do_ipt_set_ctl+0x40f/0x5f0 [ 25.699872] ? translate_compat_table+0x1b90/0x1b90 [ 25.704864] ? mutex_unlock+0xd/0x10 [ 25.708553] ? nf_sockopt_find.constprop.0+0x1a7/0x220 [ 25.713800] nf_setsockopt+0x67/0xc0 [ 25.717486] ip_setsockopt+0x97/0xa0 [ 25.721176] tcp_setsockopt+0x82/0xd0 [ 25.724952] sock_common_setsockopt+0x95/0xd0 [ 25.729422] SyS_setsockopt+0x189/0x360 [ 25.733371] ? SyS_recv+0x40/0x40 [ 25.736802] ? mm_fault_error+0x2c0/0x2c0 [ 25.740923] ? move_addr_to_kernel+0x60/0x60 [ 25.745303] ? do_syscall_64+0xb7/0x940 [ 25.749257] ? SyS_recv+0x40/0x40 [ 25.752685] do_syscall_64+0x282/0x940 [ 25.756547] ? __do_page_fault+0xc90/0xc90 [ 25.760755] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 25.765484] ? syscall_return_slowpath+0x550/0x550 [ 25.770388] ? syscall_return_slowpath+0x2ac/0x550 [ 25.775287] ? prepare_exit_to_usermode+0x350/0x350 [ 25.780278] ? retint_user+0x18/0x18 [ 25.783969] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 25.788787] entry_SYSCALL_64_after_hwframe+0x26/0x9b [ 25.793949] RIP: 0033:0x444aca [ 25.797112] RSP: 002b:00007ffc5c5e38e8 EFLAGS: 00000206 ORIG_RAX: 0000000000000036 [ 25.804793] RAX: ffffffffffffffda RBX: 00000000006cf9c0 RCX: 0000000000444aca [ 25.812037] RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003 [ 25.819280] RBP: 00000000006cf9c0 R08: 00000000000002d8 R09: 0000000000004000 [ 25.826518] R10: 00000000006cf960 R11: 0000000000000206 R12: 00007ffc5c5e3910 [ 25.833757] R13: 00000000006d1b80 R14: 0000000000000003 R15: 0000000000000000 [ 25.841033] [ 25.841035] ====================================================== [ 25.841036] WARNING: possible circular locking dependency detected [ 25.841038] 4.16.0-rc1+ #310 Not tainted [ 25.841039] ------------------------------------------------------ [ 25.841041] syzkaller832372/4163 is trying to acquire lock: [ 25.841042] ((console_sem).lock){..-.}, at: [<0000000039fb4208>] down_trylock+0x13/0x70 [ 25.841046] [ 25.841048] but task is already holding lock: [ 25.841048] (&obj_hash[i].lock){-.-.}, at: [<0000000056d2f8d2>] debug_check_no_obj_freed+0x1e9/0xf1f [ 25.841053] [ 25.841054] which lock already depends on the new lock. [ 25.841055] [ 25.841056] [ 25.841057] the existing dependency chain (in reverse order) is: [ 25.841058] [ 25.841059] -> #3 (&obj_hash[i].lock){-.-.}: [ 25.841063] _raw_spin_lock_irqsave+0x96/0xc0 [ 25.841064] __debug_object_init+0x109/0x1040 [ 25.841066] debug_object_init+0x17/0x20 [ 25.841067] hrtimer_init+0x8c/0x410 [ 25.841068] init_dl_task_timer+0x1b/0x50 [ 25.841070] __sched_fork+0x2bb/0xb60 [ 25.841071] init_idle+0x75/0x820 [ 25.841072] sched_init+0xb19/0xc43 [ 25.841073] start_kernel+0x452/0x819 [ 25.841074] x86_64_start_reservations+0x2a/0x2c [ 25.841076] x86_64_start_kernel+0x77/0x7a [ 25.841077] secondary_startup_64+0xa5/0xb0 [ 25.841078] [ 25.841078] -> #2 (&rq->lock){-.-.}: [ 25.841082] _raw_spin_lock+0x2a/0x40 [ 25.841084] task_fork_fair+0x7a/0x690 [ 25.841085] sched_fork+0x450/0xc10 [ 25.841086] copy_process.part.37+0x1758/0x4b60 [ 25.841087] _do_fork+0x1f7/0xf70 [ 25.841088] kernel_thread+0x34/0x40 [ 25.841089] rest_init+0x22/0xf0 [ 25.841091] start_kernel+0x7f1/0x819 [ 25.841092] x86_64_start_reservations+0x2a/0x2c [ 25.841093] x86_64_start_kernel+0x77/0x7a [ 25.841095] secondary_startup_64+0xa5/0xb0 [ 25.841095] [ 25.841096] -> #1 (&p->pi_lock){-.-.}: [ 25.841100] _raw_spin_lock_irqsave+0x96/0xc0 [ 25.841101] try_to_wake_up+0xbc/0x15f0 [ 25.841103] wake_up_process+0x10/0x20 [ 25.841104] __up.isra.0+0x1cc/0x2c0 [ 25.841105] up+0x13b/0x1d0 [ 25.841106] __up_console_sem+0xb2/0x1a0 [ 25.841107] console_unlock+0x5af/0xfb0 [ 25.841109] vprintk_emit+0x5c3/0xb90 [ 25.841110] vprintk_default+0x28/0x30 [ 25.841111] vprintk_func+0x57/0xc0 [ 25.841112] printk+0xaa/0xca [ 25.841113] kauditd_hold_skb+0x163/0x180 [ 25.841115] kauditd_send_queue+0xfa/0x140 [ 25.841116] kauditd_thread+0x660/0x940 [ 25.841117] kthread+0x33c/0x400 [ 25.841118] ret_from_fork+0x3a/0x50 [ 25.841119] [ 25.841120] -> #0 ((console_sem).lock){..-.}: [ 25.841124] lock_acquire+0x1d5/0x580 [ 25.841125] _raw_spin_lock_irqsave+0x96/0xc0 [ 25.841126] down_trylock+0x13/0x70 [ 25.841128] __down_trylock_console_sem+0xa2/0x1e0 [ 25.841129] console_trylock+0x15/0x70 [ 25.841130] vprintk_emit+0x5b5/0xb90 [ 25.841131] vprintk_default+0x28/0x30 [ 25.841133] vprintk_func+0x57/0xc0 [ 25.841134] printk+0xaa/0xca [ 25.841135] __warn_printk+0x90/0xf0 [ 25.841136] debug_print_object+0x166/0x220 [ 25.841138] debug_check_no_obj_freed+0x662/0xf1f [ 25.841139] kfree+0xc7/0x260 [ 25.841140] led_tg_destroy+0x28a/0x3f0 [ 25.841141] cleanup_entry+0x218/0x350 [ 25.841142] __do_replace+0x79d/0xa50 [ 25.841144] do_ipt_set_ctl+0x40f/0x5f0 [ 25.841145] nf_setsockopt+0x67/0xc0 [ 25.841146] ip_setsockopt+0x97/0xa0 [ 25.841147] tcp_setsockopt+0x82/0xd0 [ 25.841148] sock_common_setsockopt+0x95/0xd0 [ 25.841150] SyS_setsockopt+0x189/0x360 [ 25.841151] do_syscall_64+0x282/0x940 [ 25.841152] entry_SYSCALL_64_after_hwframe+0x26/0x9b [ 25.841153] [ 25.841154] other info that might help us debug this: [ 25.841155] [ 25.841156] Chain exists of: [ 25.841157] (console_sem).lock --> &rq->lock --> &obj_hash[i].lock [ 25.841162] [ 25.841163] Possible unsafe locking scenario: [ 25.841164] [ 25.841165] CPU0 CPU1 [ 25.841166] ---- ---- [ 25.841167] lock(&obj_hash[i].lock); [ 25.841170] lock(&rq->lock); [ 25.841173] lock(&obj_hash[i].lock); [ 25.841175] lock((console_sem).lock); [ 25.841177] [ 25.841178] *** DEADLOCK *** [ 25.841179] [ 25.841180] 2 locks held by syzkaller832372/4163: [ 25.841181] #0: (&xt[i].mutex){+.+.}, at: [<000000000bde75ab>] xt_find_table_lock+0x3e/0x3e0 [ 25.841186] #1: (&obj_hash[i].lock){-.-.}, at: [<0000000056d2f8d2>] debug_check_no_obj_freed+0x1e9/0xf1f [ 25.841190] [ 25.841191] stack backtrace: [ 25.841193] CPU: 1 PID: 4163 Comm: syzkaller832372 Not tainted 4.16.0-rc1+ #310 [ 25.841196] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.841197] Call Trace: [ 25.841198] dump_stack+0x194/0x257 [ 25.841199] ? arch_local_irq_restore+0x53/0x53 [ 25.841201] print_circular_bug.isra.38+0x2cd/0x2dc [ 25.841202] ? save_trace+0xe0/0x2b0 [ 25.841203] __lock_acquire+0x30a8/0x3e00 [ 25.841204] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 25.841206] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 25.841207] ? print_irqtrace_events+0x270/0x270 [ 25.841208] ? __lock_acquire+0x664/0x3e00 [ 25.841210] ? check_noncircular+0x20/0x20 [ 25.841211] ? print_irqtrace_events+0x270/0x270 [ 25.841212] ? __lock_acquire+0x664/0x3e00 [ 25.841214] ? check_usage+0x22f/0xb60 [ 25.841215] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 25.841216] ? check_noncircular+0x20/0x20 [ 25.841218] ? print_irqtrace_events+0x270/0x270 [ 25.841219] lock_acquire+0x1d5/0x580 [ 25.841220] ? lock_acquire+0x1d5/0x580 [ 25.841221] ? down_trylock+0x13/0x70 [ 25.841222] ? lock_release+0xa40/0xa40 [ 25.841223] ? vprintk_emit+0x43b/0xb90 [ 25.841225] ? lock_downgrade+0x980/0x980 [ 25.841226] ? kvm_sched_clock_read+0x25/0x40 [ 25.841227] ? sched_clock+0x31/0x40 [ 25.841228] ? sched_clock_cpu+0x1b/0x180 [ 25.841229] ? vprintk_emit+0x5b5/0xb90 [ 25.841231] _raw_spin_lock_irqsave+0x96/0xc0 [ 25.841232] ? down_trylock+0x13/0x70 [ 25.841233] down_trylock+0x13/0x70 [ 25.841234] ? vprintk_emit+0x5b5/0xb90 [ 25.841235] __down_trylock_console_sem+0xa2/0x1e0 [ 25.841237] console_trylock+0x15/0x70 [ 25.841238] vprintk_emit+0x5b5/0xb90 [ 25.841239] ? console_unlock+0xfb0/0xfb0 [ 25.841240] ? check_noncircular+0x20/0x20 [ 25.841241] ? find_held_lock+0x35/0x1d0 [ 25.841243] ? is_bpf_text_address+0x7b/0x120 [ 25.841244] ? find_held_lock+0x35/0x1d0 [ 25.841245] ? __internal_add_timer+0x2d0/0x2d0 [ 25.841246] vprintk_default+0x28/0x30 [ 25.841247] vprintk_func+0x57/0xc0 [ 25.841249] printk+0xaa/0xca [ 25.841250] ? show_regs_print_info+0x18/0x18 [ 25.841251] ? lock_release+0xa40/0xa40 [ 25.841252] ? __warn_printk+0x84/0xf0 [ 25.841253] ? led_tg_destroy+0x3f0/0x3f0 [ 25.841254] __warn_printk+0x90/0xf0 [ 25.841256] ? test_taint+0x20/0x20 [ 25.841257] ? lock_release+0xa40/0xa40 [ 25.841258] ? depot_save_stack+0x2ca/0x460 [ 25.841259] ? led_tg_destroy+0x3f0/0x3f0 [ 25.841260] debug_print_object+0x166/0x220 [ 25.841262] debug_check_no_obj_freed+0x662/0xf1f [ 25.841263] ? free_obj_work+0x690/0x690 [ 25.841264] ? up_read+0x40/0x40 [ 25.841265] ? wait_for_completion+0x770/0x770 [ 25.841267] ? up_read+0x1a/0x40 [ 25.841268] ? __lock_is_held+0xb6/0x140 [ 25.841269] ? debug_check_no_locks_freed+0x264/0x3c0 [ 25.841270] kfree+0xc7/0x260 [ 25.841271] led_tg_destroy+0x28a/0x3f0 [ 25.841272] ? state_mt+0x100/0x100 [ 25.841274] ? cleanup_match+0x198/0x220 [ 25.841275] ? hmark_tg_v4+0xfa0/0xfa0 [ 25.841276] ? hmark_tg_v4+0xfa0/0xfa0 [ 25.841277] cleanup_entry+0x218/0x350 [ 25.841278] ? cleanup_match+0x220/0x220 [ 25.841280] ? trace_event_raw_event_sched_switch+0x810/0x810 [ 25.841281] ? find_next_bit+0x32/0x100 [ 25.841282] __do_replace+0x79d/0xa50 [ 25.841284] ? compat_table_info+0x470/0x470 [ 25.841285] ? kasan_check_write+0x14/0x20 [ 25.841286] ? _copy_from_user+0x99/0x110 [ 25.841287] do_ipt_set_ctl+0x40f/0x5f0 [ 25.841289] ? translate_compat_table+0x1b90/0x1b90 [ 25.841290] ? mutex_unlock+0xd/0x10 [ 25.841291] ? nf_sockopt_find.constprop.0+0x1a7/0x220 [ 25.841292] nf_setsockopt+0x67/0xc0 [ 25.841293] ip_setsockopt+0x97/0xa0 [ 25.841294] tcp_setsockopt+0x82/0xd0 [ 25.841296] sock_common_setsockopt+0x95/0xd0 [ 25.841297] SyS_setsockopt+0x189/0x360 [ 25.841298] ? SyS_recv+0x40/0x40 [ 25.841299] ? mm_fault_error+0x2c0/0x2c0 [ 25.841301] ? move_addr_to_kernel+0x60/0x60 [ 25.841302] ? do_syscall_64+0xb7/0x940 [ 25.841303] ? SyS_recv+0x40/0x40 [ 25.841304] do_syscall_64+0x282/0x940 [ 25.841305] ? __do_page_fault+0xc90/0xc90 [ 25.841307] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 25.841308] ? syscall_return_slowpath+0x550/0x550 [ 25.841310] ? syscall_return_slowpath+0x2ac/0x550 [ 25.841311] ? prepare_exit_to_usermode+0x350/0x350 [ 25.841312] ? retint_user+0x18/0x18 [ 25.841314] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 25.841315] entry_SYSCALL_64_after_hwframe+0x26/0x9b [ 25.841316] RIP: 0033:0x444aca [ 25.841318] RSP: 002b:00007ffc5c5e38e8 EFLAGS: 00000206 ORIG_RAX: 0000000000000036 [ 25.841321] RAX: ffffffffffffffda RBX: 00000000006cf9c0 RCX: 0000000000444aca [ 25.841323] RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003 [ 25.841324] RBP: 00000000006cf9c0 R08: 00000000000002d8 R09: 0000000000004000 [ 25.841326] R10: 00000000006cf960 R11: 0000000000000206 R12: 00007ffc5c5e3910 [ 25.841328] R13: 00000000006d1b80 R14: 0000000000000003 R15: 0000000000000000 [ 25.841712] Dumping ftrace buffer: [ 26.771262] (ftrace buffer empty) [ 26.774944] Kernel Offset: disabled [ 26.778543] Rebooting in 86400 seconds..