....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 31.396246] random: sshd: uninitialized urandom read (32 bytes read) [ 31.644698] kauditd_printk_skb: 10 callbacks suppressed [ 31.644705] audit: type=1400 audit(1577507425.305:35): avc: denied { map } for pid=6990 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 31.699375] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 32.273826] random: sshd: uninitialized urandom read (32 bytes read) [ 32.459016] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.102' (ECDSA) to the list of known hosts. [ 37.886900] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 38.001608] audit: type=1400 audit(1577507431.665:36): avc: denied { map } for pid=7004 comm="syz-executor419" path="/root/syz-executor419560074" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 43.011469] ODEBUG: free active (active state 0) object type: timer_list hint: rfcomm_dlc_timeout+0x0/0x60 [ 43.022090] ------------[ cut here ]------------ [ 43.026848] WARNING: CPU: 0 PID: 7007 at lib/debugobjects.c:287 debug_print_object.cold+0xa7/0xdb [ 43.035834] Kernel panic - not syncing: panic_on_warn set ... [ 43.035834] [ 43.043175] CPU: 0 PID: 7007 Comm: syz-executor419 Not tainted 4.14.160-syzkaller #0 [ 43.051037] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.060388] Call Trace: [ 43.062969] dump_stack+0x142/0x197 [ 43.066599] panic+0x1f9/0x42d [ 43.069777] ? add_taint.cold+0x16/0x16 [ 43.073729] ? debug_print_object.cold+0xa7/0xdb [ 43.078470] ? debug_print_object.cold+0xa7/0xdb [ 43.083206] __warn.cold+0x2f/0x2f [ 43.086728] ? ist_end_non_atomic+0x10/0x10 [ 43.091033] ? debug_print_object.cold+0xa7/0xdb [ 43.095774] report_bug+0x216/0x254 [ 43.099381] do_error_trap+0x1bb/0x310 [ 43.103261] ? math_error+0x360/0x360 [ 43.107054] ? vprintk_emit+0x171/0x600 [ 43.111007] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 43.115829] do_invalid_op+0x1b/0x20 [ 43.119522] invalid_op+0x1b/0x40 [ 43.122971] RIP: 0010:debug_print_object.cold+0xa7/0xdb [ 43.128325] RSP: 0018:ffff88808eea7aa8 EFLAGS: 00010086 [ 43.133675] RAX: 000000000000005e RBX: 0000000000000003 RCX: 0000000000000000 [ 43.140928] RDX: 0000000000000000 RSI: ffffffff86cc4480 RDI: ffffed1011dd4f4b [ 43.148190] RBP: ffff88808eea7ad0 R08: 000000000000005e R09: 0000000000000000 [ 43.155444] R10: 0000000000000000 R11: ffff888092bf8580 R12: ffffffff86cbf760 [ 43.162694] R13: ffffffff85c9fb00 R14: 0000000000000000 R15: ffff888084d0d828 [ 43.169967] ? rfcomm_dlc_link+0x160/0x160 [ 43.174186] ? debug_print_object.cold+0xa7/0xdb [ 43.179393] debug_check_no_obj_freed+0x3f5/0x7b7 [ 43.184240] ? free_obj_work+0x6d0/0x6d0 [ 43.188293] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 43.193738] kfree+0xbd/0x270 [ 43.196831] rfcomm_dlc_free+0x20/0x30 [ 43.200742] rfcomm_dev_ioctl+0x1637/0x1920 [ 43.205059] ? mark_held_locks+0xb1/0x100 [ 43.209191] ? rfcomm_tty_install+0x180/0x180 [ 43.213670] ? __local_bh_enable_ip+0x99/0x1a0 [ 43.218234] rfcomm_sock_ioctl+0x82/0xa0 [ 43.222307] sock_do_ioctl+0x64/0xb0 [ 43.226010] sock_ioctl+0x2a6/0x470 [ 43.229626] ? dlci_ioctl_set+0x40/0x40 [ 43.233585] do_vfs_ioctl+0x7ae/0x1060 [ 43.237455] ? selinux_file_mprotect+0x5d0/0x5d0 [ 43.242210] ? ioctl_preallocate+0x1c0/0x1c0 [ 43.246599] ? fd_install+0x4d/0x60 [ 43.250209] ? security_file_ioctl+0x7d/0xb0 [ 43.254593] ? security_file_ioctl+0x89/0xb0 [ 43.258981] SyS_ioctl+0x8f/0xc0 [ 43.262328] ? do_vfs_ioctl+0x1060/0x1060 [ 43.266462] do_syscall_64+0x1e8/0x640 [ 43.270325] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 43.275205] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 43.280394] RIP: 0033:0x4412b9 [ 43.283566] RSP: 002b:00007ffe44b83098 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 43.291256] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004412b9 [ 43.298514] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000004 [ 43.305769] RBP: 000000000000a7fe R08: 00000000004002c8 R09: 00000000004002c8 [ 43.313073] R10: 00000000004002c8 R11: 0000000000000246 R12: 00000000004020e0 [ 43.320323] R13: 0000000000402170 R14: 0000000000000000 R15: 0000000000000000 [ 43.327591] [ 43.327593] ====================================================== [ 43.327594] WARNING: possible circular locking dependency detected [ 43.327596] 4.14.160-syzkaller #0 Not tainted [ 43.327597] ------------------------------------------------------ [ 43.327599] syz-executor419/7007 is trying to acquire lock: [ 43.327600] ((console_sem).lock){-...}, at: [] down_trylock+0x13/0x70 [ 43.327604] [ 43.327605] but task is already holding lock: [ 43.327606] (&obj_hash[i].lock){-.-.}, at: [] debug_check_no_obj_freed+0x12d/0x7b7 [ 43.327610] [ 43.327612] which lock already depends on the new lock. [ 43.327612] [ 43.327613] [ 43.327615] the existing dependency chain (in reverse order) is: [ 43.327615] [ 43.327616] -> #5 (&obj_hash[i].lock){-.-.}: [ 43.327620] lock_acquire+0x16f/0x430 [ 43.327622] _raw_spin_lock_irqsave+0x95/0xcd [ 43.327623] debug_object_activate+0x10b/0x450 [ 43.327624] enqueue_hrtimer+0x27/0x3b0 [ 43.327625] hrtimer_start_range_ns+0x512/0x10d0 [ 43.327627] schedule_hrtimeout_range_clock+0x17c/0x340 [ 43.327628] schedule_hrtimeout+0x25/0x30 [ 43.327629] wait_task_inactive+0x4ac/0x580 [ 43.327630] __kthread_bind_mask+0x24/0xc0 [ 43.327632] kthread_bind_mask+0x23/0x30 [ 43.327633] create_worker+0x31b/0x530 [ 43.327634] workqueue_init+0x57b/0x68a [ 43.327635] kernel_init_freeable+0x2af/0x532 [ 43.327636] kernel_init+0x12/0x162 [ 43.327638] ret_from_fork+0x24/0x30 [ 43.327638] [ 43.327639] -> #4 (hrtimer_bases.lock){-.-.}: [ 43.327643] lock_acquire+0x16f/0x430 [ 43.327644] _raw_spin_lock_irqsave+0x95/0xcd [ 43.327646] lock_hrtimer_base.isra.0+0x75/0x130 [ 43.327647] hrtimer_start_range_ns+0x7a/0x10d0 [ 43.327648] enqueue_task_rt+0x972/0xe40 [ 43.327650] __sched_setscheduler+0xd2a/0x2540 [ 43.327651] _sched_setscheduler+0x113/0x180 [ 43.327652] sched_setscheduler+0xe/0x10 [ 43.327653] watchdog_enable+0x10b/0x160 [ 43.327654] smpboot_thread_fn+0x444/0x960 [ 43.327656] kthread+0x319/0x430 [ 43.327657] ret_from_fork+0x24/0x30 [ 43.327657] [ 43.327658] -> #3 (&rt_b->rt_runtime_lock){-.-.}: [ 43.327662] lock_acquire+0x16f/0x430 [ 43.327663] _raw_spin_lock+0x2f/0x40 [ 43.327665] enqueue_task_rt+0x524/0xe40 [ 43.327666] __sched_setscheduler+0xd2a/0x2540 [ 43.327667] _sched_setscheduler+0x113/0x180 [ 43.327668] sched_setscheduler+0xe/0x10 [ 43.327670] watchdog_enable+0x10b/0x160 [ 43.327671] smpboot_thread_fn+0x444/0x960 [ 43.327672] kthread+0x319/0x430 [ 43.327673] ret_from_fork+0x24/0x30 [ 43.327674] [ 43.327674] -> #2 (&rq->lock){-.-.}: [ 43.327678] lock_acquire+0x16f/0x430 [ 43.327680] _raw_spin_lock+0x2f/0x40 [ 43.327681] task_fork_fair+0x63/0x5b0 [ 43.327682] sched_fork+0x3a6/0xc10 [ 43.327683] copy_process.part.0+0x15b7/0x6a70 [ 43.327684] _do_fork+0x19e/0xce0 [ 43.327686] kernel_thread+0x34/0x40 [ 43.327687] rest_init+0x24/0x1e2 [ 43.327688] start_kernel+0x6df/0x6fd [ 43.327689] x86_64_start_reservations+0x29/0x2b [ 43.327690] x86_64_start_kernel+0x77/0x7b [ 43.327692] secondary_startup_64+0xa5/0xb0 [ 43.327692] [ 43.327693] -> #1 (&p->pi_lock){-.-.}: [ 43.327697] lock_acquire+0x16f/0x430 [ 43.327699] _raw_spin_lock_irqsave+0x95/0xcd [ 43.327700] try_to_wake_up+0x79/0xf90 [ 43.327701] wake_up_process+0x10/0x20 [ 43.327702] __up.isra.0+0x136/0x1a0 [ 43.327703] up+0x9c/0xe0 [ 43.327704] __up_console_sem+0xad/0x1b0 [ 43.327706] console_unlock+0x59d/0xed0 [ 43.327707] vprintk_emit+0x1f9/0x600 [ 43.327708] vprintk_default+0x28/0x30 [ 43.327710] vprintk_func+0x5d/0x159 [ 43.327711] printk+0x9e/0xbc [ 43.327712] kauditd_hold_skb.cold+0x3e/0x4d [ 43.327713] kauditd_send_queue+0xfe/0x140 [ 43.327714] kauditd_thread+0x644/0x860 [ 43.327715] kthread+0x319/0x430 [ 43.327717] ret_from_fork+0x24/0x30 [ 43.327717] [ 43.327718] -> #0 ((console_sem).lock){-...}: [ 43.327722] __lock_acquire+0x2cb3/0x4620 [ 43.327723] lock_acquire+0x16f/0x430 [ 43.327724] _raw_spin_lock_irqsave+0x95/0xcd [ 43.327726] down_trylock+0x13/0x70 [ 43.327727] __down_trylock_console_sem+0x9c/0x200 [ 43.327728] console_trylock+0x17/0x80 [ 43.327729] vprintk_emit+0x1eb/0x600 [ 43.327730] vprintk_default+0x28/0x30 [ 43.327732] vprintk_func+0x5d/0x159 [ 43.327733] printk+0x9e/0xbc [ 43.327734] debug_print_object.cold+0xa7/0xdb [ 43.327735] debug_check_no_obj_freed+0x3f5/0x7b7 [ 43.327736] kfree+0xbd/0x270 [ 43.327737] rfcomm_dlc_free+0x20/0x30 [ 43.327739] rfcomm_dev_ioctl+0x1637/0x1920 [ 43.327740] rfcomm_sock_ioctl+0x82/0xa0 [ 43.327741] sock_do_ioctl+0x64/0xb0 [ 43.327742] sock_ioctl+0x2a6/0x470 [ 43.327743] do_vfs_ioctl+0x7ae/0x1060 [ 43.327744] SyS_ioctl+0x8f/0xc0 [ 43.327746] do_syscall_64+0x1e8/0x640 [ 43.327747] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 43.327748] [ 43.327749] other info that might help us debug this: [ 43.327750] [ 43.327751] Chain exists of: [ 43.327751] (console_sem).lock --> hrtimer_bases.lock --> &obj_hash[i].lock [ 43.327757] [ 43.327758] Possible unsafe locking scenario: [ 43.327758] [ 43.327760] CPU0 CPU1 [ 43.327761] ---- ---- [ 43.327762] lock(&obj_hash[i].lock); [ 43.327764] lock(hrtimer_bases.lock); [ 43.327767] lock(&obj_hash[i].lock); [ 43.327769] lock((console_sem).lock); [ 43.327772] [ 43.327773] *** DEADLOCK *** [ 43.327774] [ 43.327775] 3 locks held by syz-executor419/7007: [ 43.327775] #0: (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}, at: [] rfcomm_sock_ioctl+0x74/0xa0 [ 43.327780] #1: (rfcomm_ioctl_mutex){+.+.}, at: [] rfcomm_dev_ioctl+0x452/0x1920 [ 43.327785] #2: (&obj_hash[i].lock){-.-.}, at: [] debug_check_no_obj_freed+0x12d/0x7b7 [ 43.327789] [ 43.327790] stack backtrace: [ 43.327792] CPU: 0 PID: 7007 Comm: syz-executor419 Not tainted 4.14.160-syzkaller #0 [ 43.327794] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.327795] Call Trace: [ 43.327796] dump_stack+0x142/0x197 [ 43.327797] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 43.327799] __lock_acquire+0x2cb3/0x4620 [ 43.327800] ? add_lock_to_list.isra.0+0x17c/0x330 [ 43.327801] ? trace_hardirqs_on+0x10/0x10 [ 43.327802] ? netdev_bits+0xb0/0xb0 [ 43.327803] ? save_trace+0x290/0x290 [ 43.327804] ? kvm_clock_read+0x23/0x40 [ 43.327806] ? kvm_sched_clock_read+0x9/0x20 [ 43.327807] lock_acquire+0x16f/0x430 [ 43.327808] ? down_trylock+0x13/0x70 [ 43.327809] ? vprintk_emit+0x109/0x600 [ 43.327810] _raw_spin_lock_irqsave+0x95/0xcd [ 43.327812] ? down_trylock+0x13/0x70 [ 43.327813] ? vprintk_emit+0x1eb/0x600 [ 43.327814] down_trylock+0x13/0x70 [ 43.327815] ? vprintk_emit+0x1eb/0x600 [ 43.327817] __down_trylock_console_sem+0x9c/0x200 [ 43.327818] console_trylock+0x17/0x80 [ 43.327819] vprintk_emit+0x1eb/0x600 [ 43.327820] vprintk_default+0x28/0x30 [ 43.327821] vprintk_func+0x5d/0x159 [ 43.327822] ? rfcomm_dlc_link+0x160/0x160 [ 43.327823] printk+0x9e/0xbc [ 43.327825] ? show_regs_print_info+0x63/0x63 [ 43.327826] ? lock_acquire+0x16f/0x430 [ 43.327827] ? debug_check_no_obj_freed+0x12d/0x7b7 [ 43.327828] ? rfcomm_dlc_link+0x160/0x160 [ 43.327830] debug_print_object.cold+0xa7/0xdb [ 43.327831] debug_check_no_obj_freed+0x3f5/0x7b7 [ 43.327832] ? free_obj_work+0x6d0/0x6d0 [ 43.327834] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 43.327835] kfree+0xbd/0x270 [ 43.327836] rfcomm_dlc_free+0x20/0x30 [ 43.327837] rfcomm_dev_ioctl+0x1637/0x1920 [ 43.327838] ? mark_held_locks+0xb1/0x100 [ 43.327839] ? rfcomm_tty_install+0x180/0x180 [ 43.327841] ? __local_bh_enable_ip+0x99/0x1a0 [ 43.327842] rfcomm_sock_ioctl+0x82/0xa0 [ 43.327843] sock_do_ioctl+0x64/0xb0 [ 43.327844] sock_ioctl+0x2a6/0x470 [ 43.327845] ? dlci_ioctl_set+0x40/0x40 [ 43.327846] do_vfs_ioctl+0x7ae/0x1060 [ 43.327847] ? selinux_file_mprotect+0x5d0/0x5d0 [ 43.327849] ? ioctl_preallocate+0x1c0/0x1c0 [ 43.327850] ? fd_install+0x4d/0x60 [ 43.327851] ? security_file_ioctl+0x7d/0xb0 [ 43.327852] ? security_file_ioctl+0x89/0xb0 [ 43.327853] SyS_ioctl+0x8f/0xc0 [ 43.327855] ? do_vfs_ioctl+0x1060/0x1060 [ 43.327856] do_syscall_64+0x1e8/0x640 [ 43.327857] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 43.327859] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 43.327860] RIP: 0033:0x4412b9 [ 43.327861] RSP: 002b:00007ffe44b83098 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 43.327864] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004412b9 [ 43.327866] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000004 [ 43.327867] RBP: 000000000000a7fe R08: 00000000004002c8 R09: 00000000004002c8 [ 43.327869] R10: 00000000004002c8 R11: 0000000000000246 R12: 00000000004020e0 [ 43.327871] R13: 0000000000402170 R14: 0000000000000000 R15: 0000000000000000 [ 43.329216] Kernel Offset: disabled [ 44.237673] Rebooting in 86400 seconds..