[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 32.408800] random: sshd: uninitialized urandom read (32 bytes read) [ 32.613921] audit: type=1400 audit(1536715669.597:6): avc: denied { map } for pid=5498 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 32.661093] sshd (5496) used greatest stack depth: 16232 bytes left [ 32.684280] random: sshd: uninitialized urandom read (32 bytes read) [ 33.331570] random: sshd: uninitialized urandom read (32 bytes read) [ 47.619197] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.38' (ECDSA) to the list of known hosts. [ 53.343242] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 53.484218] audit: type=1400 audit(1536715690.467:7): avc: denied { map } for pid=5513 comm="syz-executor810" path="/root/syz-executor810137770" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 53.486635] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html for details. [ 53.534821] ================================================================== [ 53.543591] BUG: KASAN: use-after-free in __schedule+0xfc3/0x1ed0 [ 53.549900] Read of size 8 at addr ffff8801c1370058 by task syz-executor810/5513 [ 53.557548] [ 53.559188] CPU: 1 PID: 5513 Comm: syz-executor810 Not tainted 4.19.0-rc3+ #10 [ 53.566526] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.576035] Call Trace: [ 53.578604] dump_stack+0x1c4/0x2b4 [ 53.582222] ? dump_stack_print_info.cold.2+0x52/0x52 [ 53.587389] ? printk+0xa7/0xcf [ 53.590648] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 53.595384] print_address_description.cold.8+0x9/0x1ff [ 53.600737] kasan_report.cold.9+0x242/0x309 [ 53.605129] ? __schedule+0xfc3/0x1ed0 [ 53.608997] __asan_report_load8_noabort+0x14/0x20 [ 53.614054] __schedule+0xfc3/0x1ed0 [ 53.617761] ? __sched_text_start+0x8/0x8 [ 53.621892] ? __lock_is_held+0xb5/0x140 [ 53.625931] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 53.631011] ? find_held_lock+0x36/0x1c0 [ 53.635091] ? __call_srcu+0x7f9/0x1070 [ 53.639042] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 53.644129] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 53.649933] ? lockdep_hardirqs_on+0x421/0x5c0 [ 53.654494] ? preempt_schedule+0x4d/0x60 [ 53.658750] preempt_schedule_common+0x1f/0xd0 [ 53.663341] preempt_schedule+0x4d/0x60 [ 53.667302] ___preempt_schedule+0x16/0x18 [ 53.671518] _raw_spin_unlock_irqrestore+0xbb/0xd0 [ 53.676557] __call_srcu+0x7f9/0x1070 [ 53.680340] ? _raw_spin_unlock_irqrestore+0x6d/0xd0 [ 53.685425] ? srcu_offline_cpu+0x120/0x120 [ 53.689727] ? debug_object_free+0x690/0x690 [ 53.694119] ? mark_held_locks+0x130/0x130 [ 53.698334] ? kvm_arch_destroy_vm+0x414/0x7c0 [ 53.702895] ? lock_release+0x970/0x970 [ 53.706849] ? arch_local_save_flags+0x40/0x40 [ 53.711409] ? depot_save_stack+0x292/0x470 [ 53.715806] ? __lockdep_init_map+0x105/0x590 [ 53.720442] ? __init_waitqueue_head+0x9e/0x150 [ 53.725129] ? init_wait_entry+0x1c0/0x1c0 [ 53.729380] __synchronize_srcu+0x17b/0x230 [ 53.733686] ? call_srcu+0x10/0x10 [ 53.737212] ? rcu_unexpedite_gp+0x20/0x20 [ 53.741444] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 53.746960] ? check_preemption_disabled+0x48/0x200 [ 53.751956] synchronize_srcu+0x356/0x5ab [ 53.756083] ? lock_downgrade+0x900/0x900 [ 53.760224] ? synchronize_srcu_expedited+0x20/0x20 [ 53.765237] ? kasan_check_read+0x11/0x20 [ 53.769364] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 53.773925] ? kasan_check_write+0x14/0x20 [ 53.778152] ? do_raw_spin_lock+0xc1/0x200 [ 53.782369] kvm_page_track_unregister_notifier+0x17d/0x250 [ 53.788056] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 53.793488] ? kvfree+0x61/0x70 [ 53.796758] ? rcu_read_lock_sched_held+0x108/0x120 [ 53.801757] kvm_mmu_uninit_vm+0x1c/0x20 [ 53.805795] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 53.810185] ? kvm_arch_sync_events+0x30/0x30 [ 53.814662] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 53.820177] ? mmu_notifier_unregister+0x474/0x600 [ 53.825083] ? kfree+0x107/0x230 [ 53.828427] ? __mmu_notifier_register+0x30/0x30 [ 53.833161] ? __free_pages+0x10a/0x190 [ 53.837140] ? free_unref_page+0x960/0x960 [ 53.841368] kvm_put_kvm+0x6c8/0xff0 [ 53.845070] ? kvm_write_guest_cached+0x40/0x40 [ 53.849722] ? kvm_irqfd_release+0xd1/0x120 [ 53.854023] ? _raw_spin_unlock_irq+0x27/0x80 [ 53.858499] ? _raw_spin_unlock_irq+0x27/0x80 [ 53.862980] ? kasan_check_write+0x14/0x20 [ 53.867206] ? do_raw_spin_lock+0xc1/0x200 [ 53.871423] ? kvm_irqfd_release+0xdd/0x120 [ 53.875724] ? kvm_irqfd_release+0xdd/0x120 [ 53.880114] ? kvm_put_kvm+0xff0/0xff0 [ 53.883992] kvm_vm_release+0x42/0x50 [ 53.887771] __fput+0x385/0xa30 [ 53.891042] ? get_max_files+0x20/0x20 [ 53.894981] ? trace_hardirqs_on+0xbd/0x310 [ 53.899289] ? ___might_sleep+0x1ed/0x300 [ 53.903418] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 53.908848] ? arch_local_save_flags+0x40/0x40 [ 53.913415] ? kasan_check_write+0x14/0x20 [ 53.917638] ? do_raw_spin_lock+0xc1/0x200 [ 53.921856] ____fput+0x15/0x20 [ 53.925221] task_work_run+0x1e8/0x2a0 [ 53.929096] ? task_work_cancel+0x240/0x240 [ 53.933404] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 53.938926] ? switch_task_namespaces+0x9d/0xd0 [ 53.943589] do_exit+0x1ad7/0x2610 [ 53.947108] ? mm_update_next_owner+0x990/0x990 [ 53.951760] ? kvm_vcpu_ioctl+0x29c/0x1150 [ 53.955990] ? rcu_read_lock_sched_held+0x108/0x120 [ 53.961033] ? kfree+0x1fa/0x230 [ 53.964505] ? kvm_vcpu_ioctl+0x2a1/0x1150 [ 53.968729] ? kvm_vcpu_block+0x1030/0x1030 [ 53.973035] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.978557] ? avc_has_extended_perms+0xab2/0x15a0 [ 53.983490] ? fpu__prepare_read+0x3b/0x750 [ 53.987863] ? avc_ss_reset+0x190/0x190 [ 53.991824] ? save_stack+0xa9/0xd0 [ 53.995436] ? save_stack+0x43/0xd0 [ 53.999039] ? __kasan_slab_free+0x102/0x150 [ 54.003430] ? kasan_slab_free+0xe/0x10 [ 54.007469] ? putname+0xf2/0x130 [ 54.010912] ? __x64_sys_openat+0x9d/0x100 [ 54.015129] ? do_syscall_64+0x1b9/0x820 [ 54.019183] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.024536] ? ___might_sleep+0x1ed/0x300 [ 54.028668] ? __bpf_trace_initcall_finish+0x2a/0x30 [ 54.033752] ? trace_hardirqs_off+0xb8/0x310 [ 54.038155] ? kvm_vcpu_block+0x1030/0x1030 [ 54.042468] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.047994] ? do_vfs_ioctl+0x201/0x1720 [ 54.052051] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 54.057219] ? ioctl_preallocate+0x300/0x300 [ 54.061623] ? selinux_file_mprotect+0x620/0x620 [ 54.066368] ? path_mountpoint+0x34f/0x2190 [ 54.070675] ? rcu_read_lock_sched_held+0x108/0x120 [ 54.075678] ? kmem_cache_free+0x24f/0x290 [ 54.079958] ? putname+0xf7/0x130 [ 54.083402] do_group_exit+0x177/0x440 [ 54.087272] ? trace_hardirqs_on+0xbd/0x310 [ 54.091572] ? __ia32_sys_exit+0x50/0x50 [ 54.095680] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 54.101131] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.106659] ? ksys_ioctl+0x81/0xd0 [ 54.110266] __x64_sys_exit_group+0x3e/0x50 [ 54.114568] do_syscall_64+0x1b9/0x820 [ 54.118436] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 54.123797] ? syscall_return_slowpath+0x5e0/0x5e0 [ 54.128762] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 54.133594] ? trace_hardirqs_on_caller+0x310/0x310 [ 54.138593] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 54.143588] ? prepare_exit_to_usermode+0x291/0x3b0 [ 54.148590] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 54.153422] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.158603] RIP: 0033:0x43ecc8 [ 54.161782] Code: Bad RIP value. [ 54.165129] RSP: 002b:00007fff1c37d8c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 54.172821] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ecc8 [ 54.180098] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 54.187346] RBP: 00000000004be588 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 54.194597] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 54.201846] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 54.209099] [ 54.210710] Allocated by task 5513: [ 54.214321] save_stack+0x43/0xd0 [ 54.217756] kasan_kmalloc+0xc7/0xe0 [ 54.221454] kasan_slab_alloc+0x12/0x20 [ 54.225406] kmem_cache_alloc+0x12e/0x730 [ 54.229534] vmx_create_vcpu+0xcf/0x25e0 [ 54.233573] kvm_arch_vcpu_create+0xe5/0x220 [ 54.237958] kvm_vm_ioctl+0x470/0x1d40 [ 54.241821] do_vfs_ioctl+0x1de/0x1720 [ 54.245693] ksys_ioctl+0xa9/0xd0 [ 54.249131] __x64_sys_ioctl+0x73/0xb0 [ 54.252999] do_syscall_64+0x1b9/0x820 [ 54.256873] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.262038] [ 54.263656] Freed by task 5513: [ 54.266911] save_stack+0x43/0xd0 [ 54.270353] __kasan_slab_free+0x102/0x150 [ 54.274565] kasan_slab_free+0xe/0x10 [ 54.278353] kmem_cache_free+0x83/0x290 [ 54.282313] vmx_free_vcpu+0x26b/0x300 [ 54.286181] kvm_arch_destroy_vm+0x365/0x7c0 [ 54.290569] kvm_put_kvm+0x6c8/0xff0 [ 54.294310] kvm_vm_release+0x42/0x50 [ 54.298093] __fput+0x385/0xa30 [ 54.301347] ____fput+0x15/0x20 [ 54.304614] task_work_run+0x1e8/0x2a0 [ 54.308488] do_exit+0x1ad7/0x2610 [ 54.312011] do_group_exit+0x177/0x440 [ 54.315875] __x64_sys_exit_group+0x3e/0x50 [ 54.320330] do_syscall_64+0x1b9/0x820 [ 54.324202] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.329368] [ 54.330976] The buggy address belongs to the object at ffff8801c1370040 [ 54.330976] which belongs to the cache kvm_vcpu of size 23872 [ 54.343536] The buggy address is located 24 bytes inside of [ 54.343536] 23872-byte region [ffff8801c1370040, ffff8801c1375d80) [ 54.355484] The buggy address belongs to the page: [ 54.360405] page:ffffea000704dc00 count:1 mapcount:0 mapping:ffff8801d4c14780 index:0x0 compound_mapcount: 0 [ 54.370358] flags: 0x2fffc0000008100(slab|head) [ 54.375137] raw: 02fffc0000008100 ffff8801d4c15648 ffff8801d4c15648 ffff8801d4c14780 [ 54.383006] raw: 0000000000000000 ffff8801c1370040 0000000100000001 0000000000000000 [ 54.390868] page dumped because: kasan: bad access detected [ 54.396552] [ 54.398156] Memory state around the buggy address: [ 54.403065] ffff8801c136ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 54.410405] ffff8801c136ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 54.417888] >ffff8801c1370000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 54.425327] ^ [ 54.431539] ffff8801c1370080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.438937] ffff8801c1370100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.446276] ================================================================== [ 54.453611] Kernel panic - not syncing: panic_on_warn set ... [ 54.453611] [ 54.460959] CPU: 1 PID: 5513 Comm: syz-executor810 Tainted: G B 4.19.0-rc3+ #10 [ 54.469684] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.479082] Call Trace: [ 54.481657] dump_stack+0x1c4/0x2b4 [ 54.485274] ? dump_stack_print_info.cold.2+0x52/0x52 [ 54.490560] ? lock_downgrade+0x900/0x900 [ 54.494700] panic+0x238/0x4e7 [ 54.497873] ? add_taint.cold.5+0x16/0x16 [ 54.502005] ? print_shadow_for_address+0xb6/0x116 [ 54.506912] ? trace_hardirqs_off+0xaf/0x310 [ 54.511304] kasan_end_report+0x47/0x4f [ 54.515305] kasan_report.cold.9+0x76/0x309 [ 54.519621] ? __schedule+0xfc3/0x1ed0 [ 54.523490] __asan_report_load8_noabort+0x14/0x20 [ 54.528410] __schedule+0xfc3/0x1ed0 [ 54.532142] ? __sched_text_start+0x8/0x8 [ 54.536273] ? __lock_is_held+0xb5/0x140 [ 54.540357] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 54.545446] ? find_held_lock+0x36/0x1c0 [ 54.549492] ? __call_srcu+0x7f9/0x1070 [ 54.553447] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 54.558537] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 54.563630] ? lockdep_hardirqs_on+0x421/0x5c0 [ 54.568202] ? preempt_schedule+0x4d/0x60 [ 54.572395] preempt_schedule_common+0x1f/0xd0 [ 54.576968] preempt_schedule+0x4d/0x60 [ 54.580938] ___preempt_schedule+0x16/0x18 [ 54.585158] _raw_spin_unlock_irqrestore+0xbb/0xd0 [ 54.590084] __call_srcu+0x7f9/0x1070 [ 54.593863] ? _raw_spin_unlock_irqrestore+0x6d/0xd0 [ 54.598949] ? srcu_offline_cpu+0x120/0x120 [ 54.603249] ? debug_object_free+0x690/0x690 [ 54.607642] ? mark_held_locks+0x130/0x130 [ 54.611925] ? kvm_arch_destroy_vm+0x414/0x7c0 [ 54.616498] ? lock_release+0x970/0x970 [ 54.620472] ? arch_local_save_flags+0x40/0x40 [ 54.625039] ? depot_save_stack+0x292/0x470 [ 54.629345] ? __lockdep_init_map+0x105/0x590 [ 54.633830] ? __init_waitqueue_head+0x9e/0x150 [ 54.638527] ? init_wait_entry+0x1c0/0x1c0 [ 54.642768] __synchronize_srcu+0x17b/0x230 [ 54.647072] ? call_srcu+0x10/0x10 [ 54.650592] ? rcu_unexpedite_gp+0x20/0x20 [ 54.654808] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 54.660323] ? check_preemption_disabled+0x48/0x200 [ 54.665318] synchronize_srcu+0x356/0x5ab [ 54.669444] ? lock_downgrade+0x900/0x900 [ 54.673574] ? synchronize_srcu_expedited+0x20/0x20 [ 54.678574] ? kasan_check_read+0x11/0x20 [ 54.682704] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 54.687274] ? kasan_check_write+0x14/0x20 [ 54.691540] ? do_raw_spin_lock+0xc1/0x200 [ 54.695767] kvm_page_track_unregister_notifier+0x17d/0x250 [ 54.701461] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 54.706893] ? kvfree+0x61/0x70 [ 54.710151] ? rcu_read_lock_sched_held+0x108/0x120 [ 54.715285] kvm_mmu_uninit_vm+0x1c/0x20 [ 54.719341] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 54.723731] ? kvm_arch_sync_events+0x30/0x30 [ 54.728216] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 54.733734] ? mmu_notifier_unregister+0x474/0x600 [ 54.738645] ? kfree+0x107/0x230 [ 54.741999] ? __mmu_notifier_register+0x30/0x30 [ 54.746738] ? __free_pages+0x10a/0x190 [ 54.750738] ? free_unref_page+0x960/0x960 [ 54.754965] kvm_put_kvm+0x6c8/0xff0 [ 54.758722] ? kvm_write_guest_cached+0x40/0x40 [ 54.763400] ? kvm_irqfd_release+0xd1/0x120 [ 54.767711] ? _raw_spin_unlock_irq+0x27/0x80 [ 54.772225] ? _raw_spin_unlock_irq+0x27/0x80 [ 54.776712] ? kasan_check_write+0x14/0x20 [ 54.780931] ? do_raw_spin_lock+0xc1/0x200 [ 54.785181] ? kvm_irqfd_release+0xdd/0x120 [ 54.789481] ? kvm_irqfd_release+0xdd/0x120 [ 54.793788] ? kvm_put_kvm+0xff0/0xff0 [ 54.797661] kvm_vm_release+0x42/0x50 [ 54.801460] __fput+0x385/0xa30 [ 54.804721] ? get_max_files+0x20/0x20 [ 54.808622] ? trace_hardirqs_on+0xbd/0x310 [ 54.813035] ? ___might_sleep+0x1ed/0x300 [ 54.817164] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 54.822591] ? arch_local_save_flags+0x40/0x40 [ 54.827174] ? kasan_check_write+0x14/0x20 [ 54.831415] ? do_raw_spin_lock+0xc1/0x200 [ 54.835646] ____fput+0x15/0x20 [ 54.838913] task_work_run+0x1e8/0x2a0 [ 54.842793] ? task_work_cancel+0x240/0x240 [ 54.847103] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 54.852728] ? switch_task_namespaces+0x9d/0xd0 [ 54.857382] do_exit+0x1ad7/0x2610 [ 54.860907] ? mm_update_next_owner+0x990/0x990 [ 54.865560] ? kvm_vcpu_ioctl+0x29c/0x1150 [ 54.869778] ? rcu_read_lock_sched_held+0x108/0x120 [ 54.874775] ? kfree+0x1fa/0x230 [ 54.878198] ? kvm_vcpu_ioctl+0x2a1/0x1150 [ 54.882529] ? kvm_vcpu_block+0x1030/0x1030 [ 54.886855] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.892372] ? avc_has_extended_perms+0xab2/0x15a0 [ 54.897290] ? fpu__prepare_read+0x3b/0x750 [ 54.901603] ? avc_ss_reset+0x190/0x190 [ 54.905562] ? save_stack+0xa9/0xd0 [ 54.909165] ? save_stack+0x43/0xd0 [ 54.912786] ? __kasan_slab_free+0x102/0x150 [ 54.917182] ? kasan_slab_free+0xe/0x10 [ 54.921145] ? putname+0xf2/0x130 [ 54.924586] ? __x64_sys_openat+0x9d/0x100 [ 54.928818] ? do_syscall_64+0x1b9/0x820 [ 54.932872] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.938233] ? ___might_sleep+0x1ed/0x300 [ 54.942363] ? __bpf_trace_initcall_finish+0x2a/0x30 [ 54.947555] ? trace_hardirqs_off+0xb8/0x310 [ 54.951949] ? kvm_vcpu_block+0x1030/0x1030 [ 54.956253] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.961771] ? do_vfs_ioctl+0x201/0x1720 [ 54.965815] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 54.970991] ? ioctl_preallocate+0x300/0x300 [ 54.975401] ? selinux_file_mprotect+0x620/0x620 [ 54.980143] ? path_mountpoint+0x34f/0x2190 [ 54.984445] ? rcu_read_lock_sched_held+0x108/0x120 [ 54.989442] ? kmem_cache_free+0x24f/0x290 [ 54.993663] ? putname+0xf7/0x130 [ 54.997108] do_group_exit+0x177/0x440 [ 55.000976] ? trace_hardirqs_on+0xbd/0x310 [ 55.005286] ? __ia32_sys_exit+0x50/0x50 [ 55.009331] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 55.014905] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 55.020431] ? ksys_ioctl+0x81/0xd0 [ 55.024040] __x64_sys_exit_group+0x3e/0x50 [ 55.028342] do_syscall_64+0x1b9/0x820 [ 55.032216] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 55.037566] ? syscall_return_slowpath+0x5e0/0x5e0 [ 55.042476] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 55.047299] ? trace_hardirqs_on_caller+0x310/0x310 [ 55.052304] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 55.057346] ? prepare_exit_to_usermode+0x291/0x3b0 [ 55.062353] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 55.067241] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.072419] RIP: 0033:0x43ecc8 [ 55.075595] Code: Bad RIP value. [ 55.078941] RSP: 002b:00007fff1c37d8c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 55.086633] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ecc8 [ 55.093887] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 55.101142] RBP: 00000000004be588 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 55.108401] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 55.115653] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 55.123047] [ 55.123051] ====================================================== [ 55.123055] WARNING: possible circular locking dependency detected [ 55.123057] 4.19.0-rc3+ #10 Not tainted [ 55.123060] ------------------------------------------------------ [ 55.123063] syz-executor810/5513 is trying to acquire lock: [ 55.123065] 00000000a5ea926f ((console_sem).lock){-...}, at: down_trylock+0x13/0x70 [ 55.123074] [ 55.123077] but task is already holding lock: [ 55.123079] 00000000ac4dd2fe (report_lock){....}, at: kasan_report+0x8b/0x110 [ 55.123087] [ 55.123090] which lock already depends on the new lock. [ 55.123091] [ 55.123092] [ 55.123095] the existing dependency chain (in reverse order) is: [ 55.123097] [ 55.123098] -> #3 (report_lock){....}: [ 55.123106] _raw_spin_lock_irqsave+0x99/0xd0 [ 55.123109] kasan_report+0x8b/0x110 [ 55.123112] __asan_report_load8_noabort+0x14/0x20 [ 55.123114] __schedule+0xfc3/0x1ed0 [ 55.123116] preempt_schedule_common+0x1f/0xd0 [ 55.123119] preempt_schedule+0x4d/0x60 [ 55.123121] ___preempt_schedule+0x16/0x18 [ 55.123124] _raw_spin_unlock_irqrestore+0xbb/0xd0 [ 55.123126] __call_srcu+0x7f9/0x1070 [ 55.123129] __synchronize_srcu+0x17b/0x230 [ 55.123131] synchronize_srcu+0x356/0x5ab [ 55.123134] kvm_page_track_unregister_notifier+0x17d/0x250 [ 55.123137] kvm_mmu_uninit_vm+0x1c/0x20 [ 55.123139] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 55.123142] kvm_put_kvm+0x6c8/0xff0 [ 55.123144] kvm_vm_release+0x42/0x50 [ 55.123153] __fput+0x385/0xa30 [ 55.123155] ____fput+0x15/0x20 [ 55.123157] task_work_run+0x1e8/0x2a0 [ 55.123160] do_exit+0x1ad7/0x2610 [ 55.123165] do_group_exit+0x177/0x440 [ 55.123167] __x64_sys_exit_group+0x3e/0x50 [ 55.123170] do_syscall_64+0x1b9/0x820 [ 55.123173] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.123174] [ 55.123175] -> #2 (&rq->lock){-.-.}: [ 55.123183] _raw_spin_lock+0x2d/0x40 [ 55.123186] task_fork_fair+0xb0/0x6d0 [ 55.123188] sched_fork+0x443/0xba0 [ 55.123191] copy_process+0x2586/0x8780 [ 55.123193] _do_fork+0x1cb/0x11d0 [ 55.123195] kernel_thread+0x34/0x40 [ 55.123198] rest_init+0x22/0xe5 [ 55.123200] start_kernel+0x8f4/0x92f [ 55.123203] x86_64_start_reservations+0x29/0x2b [ 55.123205] x86_64_start_kernel+0x76/0x79 [ 55.123208] secondary_startup_64+0xa4/0xb0 [ 55.123209] [ 55.123210] -> #1 (&p->pi_lock){-.-.}: [ 55.123219] _raw_spin_lock_irqsave+0x99/0xd0 [ 55.123221] try_to_wake_up+0xd2/0x12f0 [ 55.123224] wake_up_process+0x10/0x20 [ 55.123226] __up.isra.1+0x1c0/0x2a0 [ 55.123228] up+0x13c/0x1c0 [ 55.123231] __up_console_sem+0xbe/0x1b0 [ 55.123233] console_unlock+0x524/0x11a0 [ 55.123235] vprintk_emit+0x33d/0x930 [ 55.123238] vprintk_default+0x28/0x30 [ 55.123240] vprintk_func+0x7e/0x181 [ 55.123242] printk+0xa7/0xcf [ 55.123244] load_umh+0x51/0xbd [ 55.123247] do_one_initcall+0x145/0x957 [ 55.123249] kernel_init_freeable+0x4bb/0x5ae [ 55.123252] kernel_init+0x11/0x1b2 [ 55.123254] ret_from_fork+0x3a/0x50 [ 55.123255] [ 55.123256] -> #0 ((console_sem).lock){-...}: [ 55.123265] lock_acquire+0x1ed/0x520 [ 55.123267] _raw_spin_lock_irqsave+0x99/0xd0 [ 55.123270] down_trylock+0x13/0x70 [ 55.123273] __down_trylock_console_sem+0xae/0x200 [ 55.123275] console_trylock+0x15/0xa0 [ 55.123277] vprintk_emit+0x322/0x930 [ 55.123280] vprintk_default+0x28/0x30 [ 55.123282] vprintk_func+0x7e/0x181 [ 55.123284] printk+0xa7/0xcf [ 55.123286] kasan_report+0x9b/0x110 [ 55.123289] __asan_report_load8_noabort+0x14/0x20 [ 55.123291] __schedule+0xfc3/0x1ed0 [ 55.123294] preempt_schedule_common+0x1f/0xd0 [ 55.123296] preempt_schedule+0x4d/0x60 [ 55.123299] ___preempt_schedule+0x16/0x18 [ 55.123302] _raw_spin_unlock_irqrestore+0xbb/0xd0 [ 55.123304] __call_srcu+0x7f9/0x1070 [ 55.123307] __synchronize_srcu+0x17b/0x230 [ 55.123309] synchronize_srcu+0x356/0x5ab [ 55.123312] kvm_page_track_unregister_notifier+0x17d/0x250 [ 55.123315] kvm_mmu_uninit_vm+0x1c/0x20 [ 55.123317] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 55.123320] kvm_put_kvm+0x6c8/0xff0 [ 55.123322] kvm_vm_release+0x42/0x50 [ 55.123324] __fput+0x385/0xa30 [ 55.123326] ____fput+0x15/0x20 [ 55.123329] task_work_run+0x1e8/0x2a0 [ 55.123331] do_exit+0x1ad7/0x2610 [ 55.123333] do_group_exit+0x177/0x440 [ 55.123336] __x64_sys_exit_group+0x3e/0x50 [ 55.123338] do_syscall_64+0x1b9/0x820 [ 55.123341] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.123342] [ 55.123345] other info that might help us debug this: [ 55.123346] [ 55.123348] Chain exists of: [ 55.123349] (console_sem).lock --> &rq->lock --> report_lock [ 55.123360] [ 55.123362] Possible unsafe locking scenario: [ 55.123364] [ 55.123366] CPU0 CPU1 [ 55.123369] ---- ---- [ 55.123370] lock(report_lock); [ 55.123375] lock(&rq->lock); [ 55.123381] lock(report_lock); [ 55.123385] lock((console_sem).lock); [ 55.123390] [ 55.123392] *** DEADLOCK *** [ 55.123393] [ 55.123396] 2 locks held by syz-executor810/5513: [ 55.123397] #0: 000000004931862b (&rq->lock){-.-.}, at: __schedule+0x236/0x1ed0 [ 55.123407] #1: 00000000ac4dd2fe (report_lock){....}, at: kasan_report+0x8b/0x110 [ 55.123418] [ 55.123421] stack backtrace: [ 55.123427] CPU: 1 PID: 5513 Comm: syz-executor810 Not tainted 4.19.0-rc3+ #10 [ 55.123433] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.123435] Call Trace: [ 55.123437] dump_stack+0x1c4/0x2b4 [ 55.123440] ? dump_stack_print_info.cold.2+0x52/0x52 [ 55.123442] ? vprintk_func+0x85/0x181 [ 55.123445] print_circular_bug.isra.33.cold.54+0x1bd/0x27d [ 55.123448] ? save_trace+0xe0/0x290 [ 55.123450] __lock_acquire+0x33e4/0x4ec0 [ 55.123452] ? mark_held_locks+0x130/0x130 [ 55.123455] ? mark_held_locks+0x130/0x130 [ 55.123457] ? rcu_bh_qs+0xc0/0xc0 [ 55.123459] ? unwind_dump+0x190/0x190 [ 55.123462] ? is_bpf_text_address+0xd3/0x170 [ 55.123465] ? kernel_text_address+0x79/0xf0 [ 55.123467] ? __kernel_text_address+0xd/0x40 [ 55.123470] ? __save_stack_trace+0x8d/0xf0 [ 55.123472] ? add_lock_to_list.isra.26+0x1ec/0x4b0 [ 55.123475] ? save_trace+0x290/0x290 [ 55.123477] ? save_stack_trace+0x1a/0x20 [ 55.123479] ? save_trace+0xe0/0x290 [ 55.123481] ? kasan_check_read+0x11/0x20 [ 55.123484] ? graph_lock+0x170/0x170 [ 55.123487] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 55.123489] lock_acquire+0x1ed/0x520 [ 55.123491] ? down_trylock+0x13/0x70 [ 55.123493] ? find_held_lock+0x36/0x1c0 [ 55.123496] ? lock_release+0x970/0x970 [ 55.123498] ? trace_hardirqs_off+0xb8/0x310 [ 55.123500] ? vprintk_emit+0x1d3/0x930 [ 55.123503] ? trace_hardirqs_on+0x310/0x310 [ 55.123505] ? trace_hardirqs_off+0xb8/0x310 [ 55.123507] ? log_store+0x344/0x4c0 [ 55.123510] ? vprintk_emit+0x322/0x930 [ 55.123512] _raw_spin_lock_irqsave+0x99/0xd0 [ 55.123514] ? down_trylock+0x13/0x70 [ 55.123517] down_trylock+0x13/0x70 [ 55.123519] __down_trylock_console_sem+0xae/0x200 [ 55.123521] console_trylock+0x15/0xa0 [ 55.123524] vprintk_emit+0x322/0x930 [ 55.123526] ? wake_up_klogd+0x180/0x180 [ 55.123529] ? run_rebalance_domains+0x500/0x500 [ 55.123531] ? wake_up_worker+0x117/0x190 [ 55.123533] ? find_held_lock+0x36/0x1c0 [ 55.123536] ? __queue_work+0x6be/0x1440 [ 55.123538] ? lock_acquire+0x1ed/0x520 [ 55.123540] vprintk_default+0x28/0x30 [ 55.123542] vprintk_func+0x7e/0x181 [ 55.123544] printk+0xa7/0xcf [ 55.123547] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 55.123549] ? kasan_check_write+0x14/0x20 [ 55.123552] ? do_raw_spin_lock+0xc1/0x200 [ 55.123554] ? do_raw_spin_lock+0xc1/0x200 [ 55.123556] kasan_report+0x9b/0x110 [ 55.123559] ? __schedule+0xfc3/0x1ed0 [ 55.123561] __asan_report_load8_noabort+0x14/0x20 [ 55.123563] __schedule+0xfc3/0x1ed0 [ 55.123566] ? __sched_text_start+0x8/0x8 [ 55.123568] ? __lock_is_held+0xb5/0x140 [ 55.123571] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 55.123573] ? find_held_lock+0x36/0x1c0 [ 55.123575] ? __call_srcu+0x7f9/0x1070 [ 55.123578] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 55.123581] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 55.123584] ? lockdep_hardirqs_on+0x421/0x5c0 [ 55.123586] ? preempt_schedule+0x4d/0x60 [ 55.123588] preempt_schedule_common+0x1f/0xd0 [ 55.123591] preempt_schedule+0x4d/0x60 [ 55.123593] ___preempt_schedule+0x16/0x18 [ 55.123596] _raw_spin_unlock_irqrestore+0xbb/0xd0 [ 55.123598] __call_srcu+0x7f9/0x1070 [ 55.123601] ? _raw_spin_unlock_irqrestore+0x6d/0xd0 [ 55.123603] ? srcu_offline_cpu+0x120/0x120 [ 55.123606] ? debug_object_free+0x690/0x690 [ 55.123608] ? mark_held_locks+0x130/0x130 [ 55.123611] ? kvm_arch_destroy_vm+0x414/0x7c0 [ 55.123613] ? lock_release+0x970/0x970 [ 55.123616] ? arch_local_save_flags+0x40/0x40 [ 55.123618] ? depot_save_stack+0x292/0x470 [ 55.123620] ? __lockdep_init_map+0x105/0x590 [ 55.123623] ? __init_waitqueue_head+0x9e/0x150 [ 55.123625] ? init_wait_entry+0x1c0/0x1c0 [ 55.123628] __synchronize_srcu+0x17b/0x230 [ 55.123630] ? call_srcu+0x10/0x10 [ 55.123632] ? rcu_unexpedite_gp+0x20/0x20 [ 55.123635] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 55.123638] ? check_preemption_disabled+0x48/0x200 [ 55.123640] synchronize_srcu+0x356/0x5ab [ 55.123643] ? lock_downgrade+0x900/0x900 [ 55.123646] ? synchronize_srcu_expedited+0x20/0x20 [ 55.123648] ? kasan_check_read+0x11/0x20 [ 55.123651] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 55.123653] ? kasan_check_write+0x14/0x20 [ 55.123655] ? do_raw_spin_lock+0xc1/0x200 [ 55.123658] kvm_page_track_unregister_notifier+0x17d/0x250 [ 55.123661] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 55.123663] ? kvfree+0x61/0x70 [ 55.123666] ? rcu_read_lock_sched_held+0x108/0x120 [ 55.123669] kvm_mmu_uninit_vm+0x1c/0x20 [ 55.123671] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 55.123674] ? kvm_arch_sync_events+0x30/0x30 [ 55.123677] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 55.123679] ? mmu_notifier_unregister+0x474/0x600 [ 55.123681] ? kfree+0x107/0x230 [ 55.123684] ? __mmu_notifier_register+0x30/0x30 [ 55.123686] ? __free_pages+0x10a/0x190 [ 55.123689] ? free_unref_page+0x960/0x960 [ 55.123691] kvm_put_kvm+0x6c8/0xff0 [ 55.123693] ? kvm_write_guest_cached+0x40/0x40 [ 55.123696] ? kvm_irqfd_release+0xd1/0x120 [ 55.123698] ? _raw_spin_unlock_irq+0x27/0x80 [ 55.123701] ? _raw_spin_unlock_irq+0x27/0x80 [ 55.123703] ? kasan_check_write+0x14/0x20 [ 55.123705] ? do_raw_spin_lock+0xc1/0x200 [ 55.123708] ? kvm_irqfd_release+0xdd [ 55.123713] Lost 73 message(s)! [ 56.257150] Shutting down cpus with NMI [ 57.315123] Dumping ftrace buffer: [ 57.318646] (ftrace buffer empty) [ 57.322839] Kernel Offset: disabled [ 57.326497] Rebooting in 86400 seconds..