[ 38.310305] audit: type=1800 audit(1572254446.432:32): pid=7461 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2450 res=0 Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [ 39.158572] audit: type=1800 audit(1572254447.352:33): pid=7461 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.22' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 55.218984] kauditd_printk_skb: 2 callbacks suppressed [ 55.219001] audit: type=1400 audit(1572254463.412:36): avc: denied { map } for pid=7650 comm="syz-executor502" path="/root/syz-executor502176143" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 60.230822] ------------[ cut here ]------------ [ 60.236727] ODEBUG: free active (active state 0) object type: timer_list hint: rfcomm_dlc_timeout+0x0/0x80 [ 60.246721] WARNING: CPU: 1 PID: 7653 at lib/debugobjects.c:325 debug_print_object+0x168/0x250 [ 60.255458] Kernel panic - not syncing: panic_on_warn set ... [ 60.255458] [ 60.262808] CPU: 1 PID: 7653 Comm: syz-executor502 Not tainted 4.19.80 #0 [ 60.269890] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.279266] Call Trace: [ 60.281868] dump_stack+0x172/0x1f0 [ 60.285486] panic+0x26a/0x50e [ 60.288682] ? __warn_printk+0xf3/0xf3 [ 60.292560] ? debug_print_object+0x168/0x250 [ 60.297051] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 60.302590] ? __warn.cold+0x5/0x53 [ 60.306207] ? __warn+0xe8/0x1d0 [ 60.309602] ? debug_print_object+0x168/0x250 [ 60.314083] __warn.cold+0x20/0x53 [ 60.317624] ? trace_hardirqs_off+0x62/0x220 [ 60.322037] ? debug_print_object+0x168/0x250 [ 60.326518] report_bug+0x263/0x2b0 [ 60.330129] do_error_trap+0x204/0x360 [ 60.334002] ? math_error+0x340/0x340 [ 60.337788] ? wake_up_klogd+0x99/0xd0 [ 60.341660] ? vprintk_emit+0x1ab/0x690 [ 60.345619] ? error_entry+0x7c/0xe0 [ 60.349316] ? trace_hardirqs_off_caller+0x65/0x220 [ 60.354320] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 60.359173] do_invalid_op+0x1b/0x20 [ 60.362870] invalid_op+0x14/0x20 [ 60.371171] RIP: 0010:debug_print_object+0x168/0x250 [ 60.376260] Code: dd 60 4b 82 87 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 b5 00 00 00 48 8b 14 dd 60 4b 82 87 48 c7 c7 a0 40 82 87 e8 16 27 1a fe <0f> 0b 83 05 fb f4 18 06 01 48 83 c4 20 5b 41 5c 41 5d 41 5e 5d c3 [ 60.395148] RSP: 0018:ffff88808490f8d8 EFLAGS: 00010086 [ 60.400496] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000 [ 60.407748] RDX: 0000000000000000 RSI: ffffffff81553f06 RDI: ffffed1010921f0d [ 60.414999] RBP: ffff88808490f918 R08: ffff88808be00600 R09: ffffed1015d23ee3 [ 60.422251] R10: ffffed1015d23ee2 R11: ffff8880ae91f717 R12: 0000000000000001 [ 60.429513] R13: ffffffff887aaac0 R14: ffffffff815ab490 R15: ffff88809bbdbda8 [ 60.436798] ? __internal_add_timer+0x1f0/0x1f0 [ 60.441461] ? vprintk_func+0x86/0x189 [ 60.445336] ? debug_print_object+0x168/0x250 [ 60.449820] debug_check_no_obj_freed+0x29f/0x464 [ 60.454662] kfree+0xbd/0x220 [ 60.457762] rfcomm_dlc_free+0x20/0x30 [ 60.461635] rfcomm_dev_ioctl+0x181f/0x1b60 [ 60.465983] ? __local_bh_enable_ip+0x15a/0x270 [ 60.470638] ? lock_sock_nested+0xe2/0x120 [ 60.474890] ? __local_bh_enable_ip+0x15a/0x270 [ 60.479547] ? rfcomm_dev_state_change+0x150/0x150 [ 60.484461] ? __local_bh_enable_ip+0x15a/0x270 [ 60.489129] rfcomm_sock_ioctl+0x90/0xb0 [ 60.493177] sock_do_ioctl+0xd8/0x2f0 [ 60.496963] ? compat_ifr_data_ioctl+0x160/0x160 [ 60.501704] ? __lock_acquire+0x6ee/0x49c0 [ 60.505923] ? rcu_read_lock_sched_held+0x110/0x130 [ 60.510939] ? kmem_cache_alloc+0x32a/0x700 [ 60.515433] sock_ioctl+0x325/0x610 [ 60.519307] ? dlci_ioctl_set+0x40/0x40 [ 60.523263] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 60.528900] ? __might_sleep+0x95/0x190 [ 60.532868] ? find_held_lock+0x35/0x130 [ 60.536927] ? dlci_ioctl_set+0x40/0x40 [ 60.540908] do_vfs_ioctl+0xd5f/0x1380 [ 60.544893] ? selinux_file_ioctl+0x46f/0x5e0 [ 60.549554] ? selinux_file_ioctl+0x125/0x5e0 [ 60.554049] ? ioctl_preallocate+0x210/0x210 [ 60.558447] ? selinux_file_mprotect+0x620/0x620 [ 60.563215] ? __sanitizer_cov_trace_cmp1+0xb/0x20 [ 60.568132] ? __fd_install+0x200/0x640 [ 60.572177] ? fd_install+0x4d/0x60 [ 60.575806] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 60.581347] ? security_file_ioctl+0x8d/0xc0 [ 60.585751] ksys_ioctl+0xab/0xd0 [ 60.589204] __x64_sys_ioctl+0x73/0xb0 [ 60.593090] do_syscall_64+0xfd/0x620 [ 60.596884] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.602056] RIP: 0033:0x441229 [ 60.605237] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 60.624121] RSP: 002b:00007ffcc797a188 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 60.631838] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441229 [ 60.639102] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000004 [ 60.646372] RBP: 000000000000eb23 R08: 00000000004002c8 R09: 00000000004002c8 [ 60.653640] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402050 [ 60.660903] R13: 00000000004020e0 R14: 0000000000000000 R15: 0000000000000000 [ 60.668166] [ 60.668170] ====================================================== [ 60.668173] WARNING: possible circular locking dependency detected [ 60.668175] 4.19.80 #0 Not tainted [ 60.668178] ------------------------------------------------------ [ 60.668181] syz-executor502/7653 is trying to acquire lock: [ 60.668183] 00000000d1b698e0 ((console_sem).lock){-...}, at: down_trylock+0x13/0x70 [ 60.668192] [ 60.668194] but task is already holding lock: [ 60.668196] 0000000038f5d169 (&obj_hash[i].lock){-.-.}, at: debug_check_no_obj_freed+0xbe/0x464 [ 60.668205] [ 60.668208] which lock already depends on the new lock. [ 60.668209] [ 60.668210] [ 60.668213] the existing dependency chain (in reverse order) is: [ 60.668215] [ 60.668216] -> #3 (&obj_hash[i].lock){-.-.}: [ 60.668224] _raw_spin_lock_irqsave+0x95/0xcd [ 60.668227] __debug_object_init+0xc6/0xc30 [ 60.668229] debug_object_init+0x16/0x20 [ 60.668232] hrtimer_init+0x2a/0x300 [ 60.668234] init_dl_task_timer+0x1b/0x50 [ 60.668237] __sched_fork+0x22a/0x4b0 [ 60.668239] init_idle+0x75/0x800 [ 60.668241] sched_init+0x952/0x9f0 [ 60.668243] start_kernel+0x402/0x8c5 [ 60.668246] x86_64_start_reservations+0x29/0x2b [ 60.668248] x86_64_start_kernel+0x77/0x7b [ 60.668251] secondary_startup_64+0xa4/0xb0 [ 60.668252] [ 60.668253] -> #2 (&rq->lock){-.-.}: [ 60.668261] _raw_spin_lock+0x2f/0x40 [ 60.668263] task_fork_fair+0x6a/0x520 [ 60.668266] sched_fork+0x3af/0x900 [ 60.668268] copy_process.part.0+0x1859/0x7a30 [ 60.668270] _do_fork+0x257/0xfd0 [ 60.668273] kernel_thread+0x34/0x40 [ 60.668275] rest_init+0x24/0x222 [ 60.668277] start_kernel+0x88c/0x8c5 [ 60.668280] x86_64_start_reservations+0x29/0x2b [ 60.668282] x86_64_start_kernel+0x77/0x7b [ 60.668285] secondary_startup_64+0xa4/0xb0 [ 60.668286] [ 60.668287] -> #1 (&p->pi_lock){-.-.}: [ 60.668295] _raw_spin_lock_irqsave+0x95/0xcd [ 60.668298] try_to_wake_up+0x94/0xf50 [ 60.668300] wake_up_process+0x10/0x20 [ 60.668302] __up.isra.0+0x136/0x1a0 [ 60.668304] up+0x9c/0xe0 [ 60.668306] __up_console_sem+0xb7/0x1c0 [ 60.668309] console_unlock+0x6c7/0x10b0 [ 60.668311] vprintk_emit+0x238/0x690 [ 60.668313] vprintk_default+0x28/0x30 [ 60.668316] vprintk_func+0x7e/0x189 [ 60.668317] printk+0xba/0xed [ 60.668320] kauditd_hold_skb.cold+0x3f/0x4e [ 60.668322] kauditd_send_queue+0x12b/0x170 [ 60.668325] kauditd_thread+0x732/0xa60 [ 60.668327] kthread+0x354/0x420 [ 60.668329] ret_from_fork+0x24/0x30 [ 60.668330] [ 60.668332] -> #0 ((console_sem).lock){-...}: [ 60.668340] lock_acquire+0x16f/0x3f0 [ 60.668342] _raw_spin_lock_irqsave+0x95/0xcd [ 60.668344] down_trylock+0x13/0x70 [ 60.668347] __down_trylock_console_sem+0xa8/0x210 [ 60.668350] console_trylock+0x15/0xa0 [ 60.668352] vprintk_emit+0x21d/0x690 [ 60.668354] vprintk_default+0x28/0x30 [ 60.668356] vprintk_func+0x7e/0x189 [ 60.668359] printk+0xba/0xed [ 60.668361] __warn_printk+0x9b/0xf3 [ 60.668363] debug_print_object+0x168/0x250 [ 60.668366] debug_check_no_obj_freed+0x29f/0x464 [ 60.668368] kfree+0xbd/0x220 [ 60.668370] rfcomm_dlc_free+0x20/0x30 [ 60.668373] rfcomm_dev_ioctl+0x181f/0x1b60 [ 60.668376] rfcomm_sock_ioctl+0x90/0xb0 [ 60.668378] sock_do_ioctl+0xd8/0x2f0 [ 60.668380] sock_ioctl+0x325/0x610 [ 60.668391] do_vfs_ioctl+0xd5f/0x1380 [ 60.668394] ksys_ioctl+0xab/0xd0 [ 60.668396] __x64_sys_ioctl+0x73/0xb0 [ 60.668398] do_syscall_64+0xfd/0x620 [ 60.668401] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.668402] [ 60.668405] other info that might help us debug this: [ 60.668406] [ 60.668408] Chain exists of: [ 60.668409] (console_sem).lock --> &rq->lock --> &obj_hash[i].lock [ 60.668420] [ 60.668422] Possible unsafe locking scenario: [ 60.668423] [ 60.668426] CPU0 CPU1 [ 60.668428] ---- ---- [ 60.668429] lock(&obj_hash[i].lock); [ 60.668435] lock(&rq->lock); [ 60.668440] lock(&obj_hash[i].lock); [ 60.668445] lock((console_sem).lock); [ 60.668449] [ 60.668451] *** DEADLOCK *** [ 60.668452] [ 60.668455] 3 locks held by syz-executor502/7653: [ 60.668456] #0: 00000000cc548ff1 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}, at: rfcomm_sock_ioctl+0x82/0xb0 [ 60.668467] #1: 000000007f8e8495 (rfcomm_ioctl_mutex){+.+.}, at: rfcomm_dev_ioctl+0x4f0/0x1b60 [ 60.668476] #2: 0000000038f5d169 (&obj_hash[i].lock){-.-.}, at: debug_check_no_obj_freed+0xbe/0x464 [ 60.668487] [ 60.668488] stack backtrace: [ 60.668492] CPU: 1 PID: 7653 Comm: syz-executor502 Not tainted 4.19.80 #0 [ 60.668496] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.668498] Call Trace: [ 60.668500] dump_stack+0x172/0x1f0 [ 60.668503] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 60.668505] __lock_acquire+0x2e19/0x49c0 [ 60.668508] ? mark_held_locks+0x100/0x100 [ 60.668510] ? kvm_clock_read+0x18/0x30 [ 60.668512] ? kvm_sched_clock_read+0x9/0x20 [ 60.668515] lock_acquire+0x16f/0x3f0 [ 60.668517] ? down_trylock+0x13/0x70 [ 60.668519] _raw_spin_lock_irqsave+0x95/0xcd [ 60.668522] ? down_trylock+0x13/0x70 [ 60.668524] ? vprintk_emit+0x21d/0x690 [ 60.668526] down_trylock+0x13/0x70 [ 60.668528] ? vprintk_emit+0x21d/0x690 [ 60.668531] __down_trylock_console_sem+0xa8/0x210 [ 60.668533] console_trylock+0x15/0xa0 [ 60.668535] vprintk_emit+0x21d/0x690 [ 60.668538] ? __internal_add_timer+0x1f0/0x1f0 [ 60.668540] vprintk_default+0x28/0x30 [ 60.668542] vprintk_func+0x7e/0x189 [ 60.668544] printk+0xba/0xed [ 60.668547] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 60.668549] ? __warn_printk+0x8f/0xf3 [ 60.668552] ? rfcomm_session_add+0x300/0x300 [ 60.668554] __warn_printk+0x9b/0xf3 [ 60.668556] ? add_taint.cold+0x16/0x16 [ 60.668558] ? skb_dequeue+0x12e/0x180 [ 60.668561] ? rfcomm_session_add+0x300/0x300 [ 60.668563] debug_print_object+0x168/0x250 [ 60.668566] debug_check_no_obj_freed+0x29f/0x464 [ 60.668568] kfree+0xbd/0x220 [ 60.668570] rfcomm_dlc_free+0x20/0x30 [ 60.668572] rfcomm_dev_ioctl+0x181f/0x1b60 [ 60.668575] ? __local_bh_enable_ip+0x15a/0x270 [ 60.668577] ? lock_sock_nested+0xe2/0x120 [ 60.668580] ? __local_bh_enable_ip+0x15a/0x270 [ 60.668582] ? rfcomm_dev_state_change+0x150/0x150 [ 60.668585] ? __local_bh_enable_ip+0x15a/0x270 [ 60.668587] rfcomm_sock_ioctl+0x90/0xb0 [ 60.668590] sock_do_ioctl+0xd8/0x2f0 [ 60.668592] ? compat_ifr_data_ioctl+0x160/0x160 [ 60.668594] ? __lock_acquire+0x6ee/0x49c0 [ 60.668597] ? rcu_read_lock_sched_held+0x110/0x130 [ 60.668600] ? kmem_cache_alloc+0x32a/0x700 [ 60.668602] sock_ioctl+0x325/0x610 [ 60.668604] ? dlci_ioctl_set+0x40/0x40 [ 60.668607] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 60.668609] ? __might_sleep+0x95/0x190 [ 60.668612] ? find_held_lock+0x35/0x130 [ 60.668614] ? dlci_ioctl_set+0x40/0x40 [ 60.668616] do_vfs_ioctl+0xd5f/0x1380 [ 60.668619] ? selinux_file_ioctl+0x46f/0x5e0 [ 60.668621] ? selinux_file_ioctl+0x125/0x5e0 [ 60.668624] ? ioctl_preallocate+0x210/0x210 [ 60.668626] ? selinux_file_mprotect+0x620/0x620 [ 60.668629] ? __sanitizer_cov_trace_cmp1+0xb/0x20 [ 60.668631] ? __fd_install+0x200/0x640 [ 60.668633] ? fd_install+0x4d/0x60 [ 60.668645] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 60.668647] ? security_file_ioctl+0x8d/0xc0 [ 60.668649] ksys_ioctl+0xab/0xd0 [ 60.668652] __x64_sys_ioctl+0x73/0xb0 [ 60.668654] do_syscall_64+0xfd/0x620 [ 60.668657] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.668659] RIP: 0033:0x441229 [ 60.668667] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 60.668669] RSP: 002b:00007ffcc797a188 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 60.668676] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441229 [ 60.668679] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000004 [ 60.668683] RBP: 000000000000eb23 R08: 00000000004002c8 R09: 00000000004002c8 [ 60.668686] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402050 [ 60.668690] R13: 00000000004020e0 R14: 0000000000000000 R15: 0000000000000000 [ 60.670216] Kernel Offset: disabled [ 61.492070] Rebooting in 86400 seconds..