[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.155' (ECDSA) to the list of known hosts. 2022/12/15 06:35:37 ignoring optional flag "sandboxArg"="0" 2022/12/15 06:35:37 parsed 1 programs 2022/12/15 06:35:37 executed programs: 0 syzkaller login: [ 30.015804] IPVS: ftp: loaded support on port[0] = 21 [ 30.146956] chnl_net:caif_netlink_parms(): no params data found [ 30.187748] bridge0: port 1(bridge_slave_0) entered blocking state [ 30.194197] bridge0: port 1(bridge_slave_0) entered disabled state [ 30.201272] device bridge_slave_0 entered promiscuous mode [ 30.209886] bridge0: port 2(bridge_slave_1) entered blocking state [ 30.217180] bridge0: port 2(bridge_slave_1) entered disabled state [ 30.224223] device bridge_slave_1 entered promiscuous mode [ 30.240417] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 30.249476] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 30.267226] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 30.274771] team0: Port device team_slave_0 added [ 30.280677] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 30.289585] team0: Port device team_slave_1 added [ 30.304730] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 30.311000] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 30.336270] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 30.347721] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 30.355142] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 30.380879] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 30.395383] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 30.402818] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 30.421266] device hsr_slave_0 entered promiscuous mode [ 30.427017] device hsr_slave_1 entered promiscuous mode [ 30.433998] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 30.440931] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 30.504781] bridge0: port 2(bridge_slave_1) entered blocking state [ 30.511335] bridge0: port 2(bridge_slave_1) entered forwarding state [ 30.518416] bridge0: port 1(bridge_slave_0) entered blocking state [ 30.524844] bridge0: port 1(bridge_slave_0) entered forwarding state [ 30.553167] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 30.559242] 8021q: adding VLAN 0 to HW filter on device bond0 [ 30.568611] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 30.578004] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 30.596844] bridge0: port 1(bridge_slave_0) entered disabled state [ 30.603893] bridge0: port 2(bridge_slave_1) entered disabled state [ 30.614544] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 30.620604] 8021q: adding VLAN 0 to HW filter on device team0 [ 30.629534] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 30.637333] bridge0: port 1(bridge_slave_0) entered blocking state [ 30.643826] bridge0: port 1(bridge_slave_0) entered forwarding state [ 30.653736] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 30.661302] bridge0: port 2(bridge_slave_1) entered blocking state [ 30.667727] bridge0: port 2(bridge_slave_1) entered forwarding state [ 30.682436] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 30.690101] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 30.700292] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 30.707666] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 30.717837] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 30.727024] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 30.733248] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 30.759312] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 30.767456] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 30.774581] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 30.785455] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 30.836932] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 30.847037] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 30.876642] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 30.883985] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 30.890481] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 30.900122] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 30.908161] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 30.915123] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 30.924320] device veth0_vlan entered promiscuous mode [ 30.933389] device veth1_vlan entered promiscuous mode [ 30.939176] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 30.947887] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 30.958553] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 30.968157] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 30.975779] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 30.983471] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 30.993016] device veth0_macvtap entered promiscuous mode [ 30.999037] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 31.007381] device veth1_macvtap entered promiscuous mode [ 31.016077] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 31.025381] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 31.035751] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 31.042954] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 31.050965] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 31.060236] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 31.068036] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 31.102556] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 31.174887] FAULT_INJECTION: forcing a failure. [ 31.174887] name failslab, interval 1, probability 0, space 0, times 1 [ 31.186816] CPU: 1 PID: 8244 Comm: syz-executor.0 Not tainted 4.14.302-syzkaller #0 [ 31.194603] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 31.204103] Call Trace: [ 31.206687] dump_stack+0x1b2/0x281 [ 31.210309] should_fail.cold+0x10a/0x149 [ 31.214441] should_failslab+0xd6/0x130 [ 31.218401] __kmalloc+0x6d/0x400 [ 31.221837] ? tty_buffer_alloc+0xc0/0x270 [ 31.226143] tty_buffer_alloc+0xc0/0x270 [ 31.230181] __tty_buffer_request_room+0x12c/0x290 [ 31.235196] tty_insert_flip_string_fixed_flag+0x8b/0x210 [ 31.240734] tty_insert_flip_string_and_push_buffer+0x3e/0x160 [ 31.246718] pty_write+0xc3/0xf0 [ 31.250088] tty_put_char+0xfe/0x120 [ 31.253914] ? dev_match_devt+0x80/0x80 [ 31.257872] ? pty_write_room+0xa9/0xd0 [ 31.261837] ? ptmx_open+0x300/0x300 [ 31.265550] __process_echoes+0x48c/0x8c0 [ 31.269743] n_tty_receive_buf_common+0x9a3/0x25a0 [ 31.274747] ? n_tty_receive_buf2+0x40/0x40 [ 31.279053] tty_ioctl+0xe8a/0x1430 [ 31.282795] ? tty_fasync+0x2c0/0x2c0 [ 31.286576] ? proc_fail_nth_write+0x7b/0x180 [ 31.291063] ? proc_tgid_io_accounting+0x6e0/0x7a0 [ 31.295994] ? fsnotify+0x974/0x11b0 [ 31.299726] ? proc_tgid_io_accounting+0x7a0/0x7a0 [ 31.304634] ? debug_check_no_obj_freed+0x2c0/0x680 [ 31.309631] ? tty_fasync+0x2c0/0x2c0 [ 31.313407] do_vfs_ioctl+0x75a/0xff0 [ 31.317190] ? ioctl_preallocate+0x1a0/0x1a0 [ 31.321581] ? vfs_write+0x319/0x4d0 [ 31.325267] ? SyS_write+0x14d/0x210 [ 31.328968] ? security_file_ioctl+0x83/0xb0 [ 31.333364] SyS_ioctl+0x7f/0xb0 [ 31.336864] ? do_vfs_ioctl+0xff0/0xff0 [ 31.340827] do_syscall_64+0x1d5/0x640 [ 31.344708] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 31.350037] RIP: 0033:0x7fb4994dd0d9 [ 31.353724] RSP: 002b:00007fff4fc63c88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 31.361422] RAX: ffffffffffffffda RBX: 00007fb4995fcf80 RCX: 00007fb4994dd0d9 [ 31.368694] RDX: 0000000020000000 RSI: 0000000000005412 RDI: 0000000000000004 [ 31.375949] RBP: 00007fff4fc63cf0 R08: 0000000000000000 R09: 0000000000000000 [ 31.383207] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 31.390465] R13: 00007fb499051158 R14: 00007fb4995fcf80 R15: 0000000000000000 [ 31.397817] [ 31.397819] ====================================================== [ 31.397821] WARNING: possible circular locking dependency detected [ 31.397822] 4.14.302-syzkaller #0 Not tainted [ 31.397824] ------------------------------------------------------ [ 31.397825] syz-executor.0/8244 is trying to acquire lock: [ 31.397826] (console_owner){....}, at: [] console_unlock+0x307/0xf20 [ 31.397831] [ 31.397832] but task is already holding lock: [ 31.397833] (&(&port->lock)->rlock){-.-.}, at: [] tty_insert_flip_string_and_push_buffer+0x2b/0x160 [ 31.397837] [ 31.397839] which lock already depends on the new lock. [ 31.397839] [ 31.397840] [ 31.397842] the existing dependency chain (in reverse order) is: [ 31.397842] [ 31.397843] -> #2 (&(&port->lock)->rlock){-.-.}: [ 31.397847] _raw_spin_lock_irqsave+0x8c/0xc0 [ 31.397849] tty_port_tty_get+0x1d/0x80 [ 31.397850] tty_port_default_wakeup+0x11/0x40 [ 31.397851] serial8250_tx_chars+0x3fe/0xc70 [ 31.397853] serial8250_handle_irq.part.0+0x2c7/0x390 [ 31.397854] serial8250_default_handle_irq+0x8a/0x1f0 [ 31.397856] serial8250_interrupt+0xf3/0x210 [ 31.397857] __handle_irq_event_percpu+0xee/0x7f0 [ 31.397858] handle_irq_event+0xed/0x240 [ 31.397860] handle_edge_irq+0x224/0xc40 [ 31.397861] handle_irq+0x35/0x50 [ 31.397862] do_IRQ+0x93/0x1d0 [ 31.397863] ret_from_intr+0x0/0x1e [ 31.397864] native_safe_halt+0xe/0x10 [ 31.397866] default_idle+0x47/0x370 [ 31.397867] do_idle+0x250/0x3c0 [ 31.397868] cpu_startup_entry+0x14/0x20 [ 31.397869] start_kernel+0x743/0x763 [ 31.397870] secondary_startup_64+0xa5/0xb0 [ 31.397871] [ 31.397872] -> #1 (&port_lock_key){-.-.}: [ 31.397876] _raw_spin_lock_irqsave+0x8c/0xc0 [ 31.397877] serial8250_console_write+0x8cb/0xb40 [ 31.397879] console_unlock+0x99d/0xf20 [ 31.397880] vprintk_emit+0x224/0x620 [ 31.397881] vprintk_func+0x58/0x160 [ 31.397882] printk+0x9e/0xbc [ 31.397883] register_console+0x6f4/0xad0 [ 31.397885] univ8250_console_init+0x2f/0x3a [ 31.397886] console_init+0x46/0x53 [ 31.397887] start_kernel+0x521/0x763 [ 31.397888] secondary_startup_64+0xa5/0xb0 [ 31.397889] [ 31.397889] -> #0 (console_owner){....}: [ 31.397893] lock_acquire+0x170/0x3f0 [ 31.397895] console_unlock+0x36f/0xf20 [ 31.397896] vprintk_emit+0x224/0x620 [ 31.397897] vprintk_func+0x58/0x160 [ 31.397898] printk+0x9e/0xbc [ 31.397899] should_fail.cold+0xdf/0x149 [ 31.397901] should_failslab+0xd6/0x130 [ 31.397902] __kmalloc+0x6d/0x400 [ 31.397903] tty_buffer_alloc+0xc0/0x270 [ 31.397905] __tty_buffer_request_room+0x12c/0x290 [ 31.397906] tty_insert_flip_string_fixed_flag+0x8b/0x210 [ 31.397908] tty_insert_flip_string_and_push_buffer+0x3e/0x160 [ 31.397909] pty_write+0xc3/0xf0 [ 31.397910] tty_put_char+0xfe/0x120 [ 31.397912] __process_echoes+0x48c/0x8c0 [ 31.397913] n_tty_receive_buf_common+0x9a3/0x25a0 [ 31.397914] tty_ioctl+0xe8a/0x1430 [ 31.397916] do_vfs_ioctl+0x75a/0xff0 [ 31.397917] SyS_ioctl+0x7f/0xb0 [ 31.397918] do_syscall_64+0x1d5/0x640 [ 31.397920] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 31.397920] [ 31.397922] other info that might help us debug this: [ 31.397922] [ 31.397923] Chain exists of: [ 31.397924] console_owner --> &port_lock_key --> &(&port->lock)->rlock [ 31.397929] [ 31.397930] Possible unsafe locking scenario: [ 31.397931] [ 31.397932] CPU0 CPU1 [ 31.397933] ---- ---- [ 31.397934] lock(&(&port->lock)->rlock); [ 31.397937] lock(&port_lock_key); [ 31.397940] lock(&(&port->lock)->rlock); [ 31.397942] lock(console_owner); [ 31.397944] [ 31.397945] *** DEADLOCK *** [ 31.397946] [ 31.397947] 6 locks held by syz-executor.0/8244: [ 31.397948] #0: (&tty->ldisc_sem){++++}, at: [] tty_ldisc_ref_wait+0x22/0x80 [ 31.397953] #1: (&port->buf.lock/1){+.+.}, at: [] tty_ioctl+0xe20/0x1430 [ 31.397957] #2: (&o_tty->termios_rwsem/1){++++}, at: [] n_tty_receive_buf_common+0x91/0x25a0 [ 31.397963] #3: (&ldata->output_lock){+.+.}, at: [] n_tty_receive_buf_common+0x965/0x25a0 [ 31.397968] #4: (&(&port->lock)->rlock){-.-.}, at: [] tty_insert_flip_string_and_push_buffer+0x2b/0x160 [ 31.397973] #5: (console_lock){+.+.}, at: [] vprintk_func+0x58/0x160 [ 31.397977] [ 31.397978] stack backtrace: [ 31.397980] CPU: 1 PID: 8244 Comm: syz-executor.0 Not tainted 4.14.302-syzkaller #0 [ 31.397982] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 31.397983] Call Trace: [ 31.397984] dump_stack+0x1b2/0x281 [ 31.397986] print_circular_bug.constprop.0.cold+0x2d7/0x41e [ 31.397987] __lock_acquire+0x2e0e/0x3f20 [ 31.397988] ? trace_hardirqs_on+0x10/0x10 [ 31.397989] ? snprintf+0xd0/0xd0 [ 31.397991] ? console_unlock+0x34a/0xf20 [ 31.397992] lock_acquire+0x170/0x3f0 [ 31.397993] ? console_unlock+0x307/0xf20 [ 31.397994] console_unlock+0x36f/0xf20 [ 31.397995] ? console_unlock+0x307/0xf20 [ 31.397997] vprintk_emit+0x224/0x620 [ 31.397998] vprintk_func+0x58/0x160 [ 31.397999] printk+0x9e/0xbc [ 31.398000] ? log_store.cold+0x16/0x16 [ 31.398001] ? ___ratelimit+0x2b5/0x510 [ 31.398002] should_fail.cold+0xdf/0x149 [ 31.398003] should_failslab+0xd6/0x130 [ 31.398004] __kmalloc+0x6d/0x400 [ 31.398006] ? tty_buffer_alloc+0xc0/0x270 [ 31.398007] tty_buffer_alloc+0xc0/0x270 [ 31.398008] __tty_buffer_request_room+0x12c/0x290 [ 31.398010] tty_insert_flip_string_fixed_flag+0x8b/0x210 [ 31.398011] tty_insert_flip_string_and_push_buffer+0x3e/0x160 [ 31.398013] pty_write+0xc3/0xf0 [ 31.398014] tty_put_char+0xfe/0x120 [ 31.398015] ? dev_match_devt+0x80/0x80 [ 31.398016] ? pty_write_room+0xa9/0xd0 [ 31.398017] ? ptmx_open+0x300/0x300 [ 31.398018] __process_echoes+0x48c/0x8c0 [ 31.398020] n_tty_receive_buf_common+0x9a3/0x25a0 [ 31.398021] ? n_tty_receive_buf2+0x40/0x40 [ 31.398022] tty_ioctl+0xe8a/0x1430 [ 31.398023] ? tty_fasync+0x2c0/0x2c0 [ 31.398025] ? proc_fail_nth_write+0x7b/0x180 [ 31.398026] ? proc_tgid_io_accounting+0x6e0/0x7a0 [ 31.398027] ? fsnotify+0x974/0x11b0 [ 31.398028] ? proc_tgid_io_accounting+0x7a0/0x7a0 [ 31.398030] ? debug_check_no_obj_freed+0x2c0/0x680 [ 31.398031] ? tty_fasync+0x2c0/0x2c0 [ 31.398032] do_vfs_ioctl+0x75a/0xff0 [ 31.398033] ? ioctl_preallocate+0x1a0/0x1a0 [ 31.398035] ? vfs_write+0x319/0x4d0 [ 31.398036] ? SyS_write+0x14d/0x210 [ 31.398037] ? security_file_ioctl+0x83/0xb0 [ 31.398038] SyS_ioctl+0x7f/0xb0 [ 31.398039] ? do_vfs_ioctl+0xff0/0xff0 [ 31.398040] do_syscall_64+0x1d5/0x640 [ 31.398042] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 31.398043] RIP: 0033:0x7fb4994dd0d9 [ 31.398044] RSP: 002b:00007fff4fc63c88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 31.398048] RAX: ffffffffffffffda RBX: 00007fb4995fcf80 RCX: 00007fb4994dd0d9 [ 31.398050] RDX: 0000000020000000 RSI: 0000000000005412 RDI: 0000000000000004 [ 31.398051] RBP: 00007fff4fc63cf0 R08: 0000000000000000 R09: 0000000000000000 [ 31.398053] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 31.398055] R13: 00007fb499051158 R14: 00007fb4995fcf80 R15: 0000000000000000 [ 32.160693] Bluetooth: hci0 command 0x0409 tx timeout