[   35.035610] audit: type=1800 audit(1585367157.781:33): pid=7229 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0
[   35.065005] audit: type=1800 audit(1585367157.781:34): pid=7229 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   37.427328] random: sshd: uninitialized urandom read (32 bytes read)
[   37.628027] audit: type=1400 audit(1585367160.371:35): avc:  denied  { map } for  pid=7402 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   37.680227] random: sshd: uninitialized urandom read (32 bytes read)
[   38.419112] random: sshd: uninitialized urandom read (32 bytes read)
[   38.627639] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.65' (ECDSA) to the list of known hosts.
[   44.198631] random: sshd: uninitialized urandom read (32 bytes read)
[   44.329321] audit: type=1400 audit(1585367167.071:36): avc:  denied  { map } for  pid=7415 comm="syz-executor208" path="/root/syz-executor208688279" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   44.581079] IPVS: ftp: loaded support on port[0] = 21
executing program
[   45.341929] ODEBUG: activate active (active state 1) object type: rcu_head hint:           (null)
[   45.351907] ------------[ cut here ]------------
[   45.356675] WARNING: CPU: 1 PID: 7419 at lib/debugobjects.c:287 debug_print_object.cold+0xa7/0xdb
[   45.365852] Kernel panic - not syncing: panic_on_warn set ...
[   45.365852] 
[   45.373656] CPU: 1 PID: 7419 Comm: syz-executor208 Not tainted 4.14.174-syzkaller #0
[   45.382280] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   45.392696] Call Trace:
[   45.395314]  dump_stack+0x13e/0x194
[   45.398939]  panic+0x1f9/0x42d
[   45.402545]  ? add_taint.cold+0x16/0x16
[   45.406861]  ? debug_print_object.cold+0xa7/0xdb
[   45.411793]  ? debug_print_object.cold+0xa7/0xdb
[   45.416542]  __warn.cold+0x2f/0x30
[   45.420149]  ? ist_end_non_atomic+0x10/0x10
[   45.424475]  ? debug_print_object.cold+0xa7/0xdb
[   45.429216]  report_bug+0x20a/0x248
[   45.432836]  do_error_trap+0x195/0x2d0
[   45.436704]  ? math_error+0x2d0/0x2d0
[   45.440485]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   45.445531]  invalid_op+0x1b/0x40
[   45.448973] RIP: 0010:debug_print_object.cold+0xa7/0xdb
[   45.454315] RSP: 0018:ffff88808e8b7430 EFLAGS: 00010082
[   45.459665] RAX: 0000000000000055 RBX: 0000000000000003 RCX: 0000000000000000
[   45.466913] RDX: 0000000000000000 RSI: ffffffff86ac07e0 RDI: ffffed1011d16e7c
[   45.474266] RBP: ffffffff86ab5ee0 R08: 0000000000000055 R09: 0000000000000000
[   45.481519] R10: fffffbfff14a8cd8 R11: ffff888080e20340 R12: 0000000000000000
[   45.488778] R13: 0000000000000001 R14: 1ffff11011d16e90 R15: ffffffff87d84240
[   45.496070]  debug_object_activate+0x307/0x450
[   45.500648]  ? debug_object_free+0x390/0x390
[   45.505035]  ? find_held_lock+0x2d/0x110
[   45.509075]  ? route4_walk+0x450/0x450
[   45.514129]  __call_rcu.constprop.0+0x31/0x7e0
[   45.518714]  route4_change+0xb27/0x1c4d
[   45.522776]  ? route4_delete+0x760/0x760
[   45.526883]  ? route4_delete+0x760/0x760
[   45.530930]  tc_ctl_tfilter+0xf13/0x18e6
[   45.534987]  ? tfilter_notify+0x240/0x240
[   45.539119]  ? mutex_trylock+0x1a0/0x1a0
[   45.543175]  ? rtnetlink_rcv_msg+0x2e8/0xb10
[   45.547563]  ? tfilter_notify+0x240/0x240
[   45.551699]  rtnetlink_rcv_msg+0x3be/0xb10
[   45.555922]  ? rtnl_bridge_getlink+0x7a0/0x7a0
[   45.560495]  ? save_trace+0x290/0x290
[   45.564272]  ? save_trace+0x290/0x290
[   45.568048]  netlink_rcv_skb+0x127/0x370
[   45.572086]  ? rtnl_bridge_getlink+0x7a0/0x7a0
[   45.576657]  ? netlink_ack+0x980/0x980
[   45.580544]  netlink_unicast+0x437/0x620
[   45.584595]  ? netlink_attachskb+0x600/0x600
[   45.589072]  netlink_sendmsg+0x733/0xbe0
[   45.593223]  ? netlink_unicast+0x620/0x620
[   45.597551]  ? SYSC_sendto+0x2b0/0x2b0
[   45.601438]  ? security_socket_sendmsg+0x83/0xb0
[   45.606295]  ? netlink_unicast+0x620/0x620
[   45.610611]  sock_sendmsg+0xc5/0x100
[   45.614312]  ___sys_sendmsg+0x70a/0x840
[   45.618402]  ? trace_hardirqs_on+0x10/0x10
[   45.622659]  ? copy_msghdr_from_user+0x380/0x380
[   45.627401]  ? find_held_lock+0x2d/0x110
[   45.631487]  ? lock_downgrade+0x6e0/0x6e0
[   45.635644]  ? __fget+0x228/0x360
[   45.639087]  ? __fget_light+0x199/0x1f0
[   45.643064]  ? sockfd_lookup_light+0xb2/0x160
[   45.647550]  __sys_sendmsg+0xa3/0x120
[   45.651343]  ? SyS_shutdown+0x160/0x160
[   45.655300]  ? _raw_spin_unlock_irq+0x24/0x80
[   45.659880]  SyS_sendmsg+0x27/0x40
[   45.663404]  ? __sys_sendmsg+0x120/0x120
[   45.667445]  do_syscall_64+0x1d5/0x640
[   45.671317]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   45.676485] RIP: 0033:0x446799
[   45.679696] RSP: 002b:00007f03103acd98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   45.687383] RAX: ffffffffffffffda RBX: 00000000006dcc88 RCX: 0000000000446799
[   45.694758] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003
[   45.702130] RBP: 00000000006dcc80 R08: 0000000000000000 R09: 0000000000000000
[   45.709482] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc8c
[   45.716765] R13: 0000000000000005 R14: 00a3a20740000000 R15: 0507002400000038
[   45.724027] 
[   45.724029] ======================================================
[   45.724031] WARNING: possible circular locking dependency detected
[   45.724032] 4.14.174-syzkaller #0 Not tainted
[   45.724034] ------------------------------------------------------
[   45.724035] syz-executor208/7419 is trying to acquire lock:
[   45.724036]  ((console_sem).lock){-...}, at: [<ffffffff81452fde>] down_trylock+0xe/0x60
[   45.724040] 
[   45.724041] but task is already holding lock:
[   45.724042]  (&obj_hash[i].lock){-.-.}, at: [<ffffffff82fe481b>] debug_object_activate+0x10b/0x450
[   45.724046] 
[   45.724047] which lock already depends on the new lock.
[   45.724048] 
[   45.724049] 
[   45.724050] the existing dependency chain (in reverse order) is:
[   45.724051] 
[   45.724052] -> #5 (&obj_hash[i].lock){-.-.}:
[   45.724056]        _raw_spin_lock_irqsave+0x8c/0xbf
[   45.724057]        debug_object_activate+0x10b/0x450
[   45.724058]        enqueue_hrtimer+0x22/0x3b0
[   45.724060]        hrtimer_start_range_ns+0x4e6/0x1060
[   45.724061]        schedule_hrtimeout_range_clock+0x13c/0x2f0
[   45.724063]        wait_task_inactive+0x478/0x530
[   45.724064]        __kthread_bind_mask+0x1f/0xb0
[   45.724065]        create_worker+0x313/0x530
[   45.724066]        workqueue_init+0x55f/0x66e
[   45.724068]        kernel_init_freeable+0x2ab/0x526
[   45.724069]        kernel_init+0xd/0x15b
[   45.724070]        ret_from_fork+0x24/0x30
[   45.724071] 
[   45.724071] -> #4 (hrtimer_bases.lock){-.-.}:
[   45.724076]        _raw_spin_lock_irqsave+0x8c/0xbf
[   45.724077]        lock_hrtimer_base.isra.0+0x6d/0x120
[   45.724078]        hrtimer_start_range_ns+0x7b/0x1060
[   45.724080]        enqueue_task_rt+0x94d/0xdb0
[   45.724081]        __sched_setscheduler.constprop.0+0xc11/0x1f70
[   45.724082]        _sched_setscheduler+0xf9/0x150
[   45.724084]        watchdog_enable+0xff/0x150
[   45.724085]        smpboot_thread_fn+0x40d/0x920
[   45.724086]        kthread+0x30d/0x420
[   45.724087]        ret_from_fork+0x24/0x30
[   45.724088] 
[   45.724088] -> #3 (&rt_b->rt_runtime_lock){-.-.}:
[   45.724093]        _raw_spin_lock+0x2a/0x40
[   45.724094]        enqueue_task_rt+0x508/0xdb0
[   45.724095]        __sched_setscheduler.constprop.0+0xc11/0x1f70
[   45.724097]        _sched_setscheduler+0xf9/0x150
[   45.724098]        watchdog_enable+0xff/0x150
[   45.724099]        smpboot_thread_fn+0x40d/0x920
[   45.724100]        kthread+0x30d/0x420
[   45.724101]        ret_from_fork+0x24/0x30
[   45.724102] 
[   45.724103] -> #2 (&rq->lock){-.-.}:
[   45.724107]        _raw_spin_lock+0x2a/0x40
[   45.724108]        task_fork_fair+0x63/0x5b0
[   45.724109]        sched_fork+0x39a/0xbd0
[   45.724110]        copy_process.part.0+0x15b7/0x6a70
[   45.724111]        _do_fork+0x180/0xc80
[   45.724113]        kernel_thread+0x2f/0x40
[   45.724114]        rest_init+0x1f/0x1d2
[   45.724115]        start_kernel+0x659/0x676
[   45.724116]        secondary_startup_64+0xa5/0xb0
[   45.724117] 
[   45.724117] -> #1 (&p->pi_lock){-.-.}:
[   45.724122]        _raw_spin_lock_irqsave+0x8c/0xbf
[   45.724123]        try_to_wake_up+0x6a/0xef0
[   45.724124]        up+0x92/0xe0
[   45.724125]        __up_console_sem+0xa9/0x1b0
[   45.724126]        console_unlock+0x596/0xec0
[   45.724127]        vprintk_emit+0x1f8/0x600
[   45.724129]        vprintk_func+0x58/0x152
[   45.724130]        printk+0x9e/0xbc
[   45.724131]        kauditd_hold_skb.cold+0x3e/0x4d
[   45.724132]        kauditd_send_queue+0xfb/0x140
[   45.724133]        kauditd_thread+0x625/0x840
[   45.724134]        kthread+0x30d/0x420
[   45.724136]        ret_from_fork+0x24/0x30
[   45.724136] 
[   45.724137] -> #0 ((console_sem).lock){-...}:
[   45.724141]        lock_acquire+0x170/0x3f0
[   45.724142]        _raw_spin_lock_irqsave+0x8c/0xbf
[   45.724143]        down_trylock+0xe/0x60
[   45.724145]        __down_trylock_console_sem+0x97/0x1f0
[   45.724146]        console_trylock+0x14/0x70
[   45.724147]        vprintk_emit+0x1ea/0x600
[   45.724148]        vprintk_func+0x58/0x152
[   45.724149]        printk+0x9e/0xbc
[   45.724151]        debug_print_object.cold+0xa7/0xdb
[   45.724152]        debug_object_activate+0x307/0x450
[   45.724153]        __call_rcu.constprop.0+0x31/0x7e0
[   45.724155]        route4_change+0xb27/0x1c4d
[   45.724156]        tc_ctl_tfilter+0xf13/0x18e6
[   45.724157]        rtnetlink_rcv_msg+0x3be/0xb10
[   45.724158]        netlink_rcv_skb+0x127/0x370
[   45.724159]        netlink_unicast+0x437/0x620
[   45.724161]        netlink_sendmsg+0x733/0xbe0
[   45.724162]        sock_sendmsg+0xc5/0x100
[   45.724163]        ___sys_sendmsg+0x70a/0x840
[   45.724164]        __sys_sendmsg+0xa3/0x120
[   45.724165]        SyS_sendmsg+0x27/0x40
[   45.724167]        do_syscall_64+0x1d5/0x640
[   45.724168]        entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   45.724169] 
[   45.724170] other info that might help us debug this:
[   45.724171] 
[   45.724172] Chain exists of:
[   45.724172]   (console_sem).lock --> hrtimer_bases.lock --> &obj_hash[i].lock
[   45.724178] 
[   45.724179]  Possible unsafe locking scenario:
[   45.724180] 
[   45.724181]        CPU0                    CPU1
[   45.724182]        ----                    ----
[   45.724183]   lock(&obj_hash[i].lock);
[   45.724186]                                lock(hrtimer_bases.lock);
[   45.724189]                                lock(&obj_hash[i].lock);
[   45.724191]   lock((console_sem).lock);
[   45.724193] 
[   45.724194]  *** DEADLOCK ***
[   45.724195] 
[   45.724196] 2 locks held by syz-executor208/7419:
[   45.724197]  #0:  (rtnl_mutex){+.+.}, at: [<ffffffff8502970d>] rtnetlink_rcv_msg+0x31d/0xb10
[   45.724201]  #1:  (&obj_hash[i].lock){-.-.}, at: [<ffffffff82fe481b>] debug_object_activate+0x10b/0x450
[   45.724206] 
[   45.724206] stack backtrace:
[   45.724208] CPU: 1 PID: 7419 Comm: syz-executor208 Not tainted 4.14.174-syzkaller #0
[   45.724211] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   45.724212] Call Trace:
[   45.724213]  dump_stack+0x13e/0x194
[   45.724214]  print_circular_bug.isra.0.cold+0x1c4/0x282
[   45.724216]  __lock_acquire+0x2cb3/0x4620
[   45.724217]  ? string+0x17e/0x1d0
[   45.724218]  ? trace_hardirqs_on+0x10/0x10
[   45.724219]  ? netdev_bits+0xa0/0xa0
[   45.724220]  ? kvm_clock_read+0x1f/0x30
[   45.724221]  ? kvm_sched_clock_read+0x5/0x10
[   45.724223]  lock_acquire+0x170/0x3f0
[   45.724224]  ? down_trylock+0xe/0x60
[   45.724225]  _raw_spin_lock_irqsave+0x8c/0xbf
[   45.724226]  ? down_trylock+0xe/0x60
[   45.724227]  down_trylock+0xe/0x60
[   45.724228]  ? vprintk_emit+0x1ea/0x600
[   45.724230]  __down_trylock_console_sem+0x97/0x1f0
[   45.724231]  console_trylock+0x14/0x70
[   45.724232]  vprintk_emit+0x1ea/0x600
[   45.724233]  vprintk_func+0x58/0x152
[   45.724234]  printk+0x9e/0xbc
[   45.724235]  ? show_regs_print_info+0x5b/0x5b
[   45.724236]  ? lock_acquire+0x170/0x3f0
[   45.724238]  ? debug_object_activate+0x10b/0x450
[   45.724239]  debug_print_object.cold+0xa7/0xdb
[   45.724240]  debug_object_activate+0x307/0x450
[   45.724242]  ? debug_object_free+0x390/0x390
[   45.724243]  ? find_held_lock+0x2d/0x110
[   45.724244]  ? route4_walk+0x450/0x450
[   45.724245]  __call_rcu.constprop.0+0x31/0x7e0
[   45.724247]  route4_change+0xb27/0x1c4d
[   45.724248]  ? route4_delete+0x760/0x760
[   45.724249]  ? route4_delete+0x760/0x760
[   45.724250]  tc_ctl_tfilter+0xf13/0x18e6
[   45.724252]  ? tfilter_notify+0x240/0x240
[   45.724253]  ? mutex_trylock+0x1a0/0x1a0
[   45.724254]  ? rtnetlink_rcv_msg+0x2e8/0xb10
[   45.724255]  ? tfilter_notify+0x240/0x240
[   45.724256]  rtnetlink_rcv_msg+0x3be/0xb10
[   45.724258]  ? rtnl_bridge_getlink+0x7a0/0x7a0
[   45.724259]  ? save_trace+0x290/0x290
[   45.724260]  ? save_trace+0x290/0x290
[   45.724261]  netlink_rcv_skb+0x127/0x370
[   45.724262]  ? rtnl_bridge_getlink+0x7a0/0x7a0
[   45.724264]  ? netlink_ack+0x980/0x980
[   45.724265]  netlink_unicast+0x437/0x620
[   45.724266]  ? netlink_attachskb+0x600/0x600
[   45.724267]  netlink_sendmsg+0x733/0xbe0
[   45.724268]  ? netlink_unicast+0x620/0x620
[   45.724270]  ? SYSC_sendto+0x2b0/0x2b0
[   45.724271]  ? security_socket_sendmsg+0x83/0xb0
[   45.724272]  ? netlink_unicast+0x620/0x620
[   45.724273]  sock_sendmsg+0xc5/0x100
[   45.724274]  ___sys_sendmsg+0x70a/0x840
[   45.724276]  ? trace_hardirqs_on+0x10/0x10
[   45.724277]  ? copy_msghdr_from_user+0x380/0x380
[   45.724278]  ? find_held_lock+0x2d/0x110
[   45.724279]  ? lock_downgrade+0x6e0/0x6e0
[   45.724280]  ? __fget+0x228/0x360
[   45.724281]  ? __fget_light+0x199/0x1f0
[   45.724283]  ? sockfd_lookup_light+0xb2/0x160
[   45.724284]  __sys_sendmsg+0xa3/0x120
[   45.724285]  ? SyS_shutdown+0x160/0x160
[   45.724286]  ? _raw_spin_unlock_irq+0x24/0x80
[   45.724287]  SyS_sendmsg+0x27/0x40
[   45.724289]  ? __sys_sendmsg+0x120/0x120
[   45.724290]  do_syscall_64+0x1d5/0x640
[   45.724291]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   45.724292] RIP: 0033:0x446799
[   45.724293] RSP: 002b:00007f03103acd98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   45.724296] RAX: ffffffffffffffda RBX: 00000000006dcc88 RCX: 0000000000446799
[   45.724298] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003
[   45.724300] RBP: 00000000006dcc80 R08: 0000000000000000 R09: 0000000000000000
[   45.724302] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc8c
[   45.724304] R13: 0000000000000005 R14: 00a3a20740000000 R15: 0507002400000038
[   45.725728] Kernel Offset: disabled
[   46.613321] Rebooting in 86400 seconds..