Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 37.699358] audit: type=1800 audit(1571580314.522:33): pid=7261 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 37.723369] audit: type=1800 audit(1571580314.532:34): pid=7261 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 40.814882] audit: type=1400 audit(1571580317.642:35): avc: denied { map } for pid=7436 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.1.35' (ECDSA) to the list of known hosts. executing program [ 47.271028] audit: type=1400 audit(1571580324.102:36): avc: denied { map } for pid=7448 comm="syz-executor383" path="/root/syz-executor383459212" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 52.283957] ------------[ cut here ]------------ [ 52.289702] ODEBUG: free active (active state 0) object type: timer_list hint: rfcomm_dlc_timeout+0x0/0x80 [ 52.299701] WARNING: CPU: 0 PID: 7451 at lib/debugobjects.c:325 debug_print_object+0x168/0x250 [ 52.308436] Kernel panic - not syncing: panic_on_warn set ... [ 52.308436] [ 52.315787] CPU: 0 PID: 7451 Comm: syz-executor383 Not tainted 4.19.80 #0 [ 52.322691] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.332025] Call Trace: [ 52.334602] dump_stack+0x172/0x1f0 [ 52.338214] panic+0x26a/0x50e [ 52.341393] ? __warn_printk+0xf3/0xf3 [ 52.345269] ? debug_print_object+0x168/0x250 [ 52.349745] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 52.355264] ? __warn.cold+0x5/0x53 [ 52.358874] ? __warn+0xe8/0x1d0 [ 52.362244] ? debug_print_object+0x168/0x250 [ 52.366735] __warn.cold+0x20/0x53 [ 52.370257] ? trace_hardirqs_off+0x62/0x220 [ 52.374647] ? debug_print_object+0x168/0x250 [ 52.379139] report_bug+0x263/0x2b0 [ 52.382761] do_error_trap+0x204/0x360 [ 52.386648] ? math_error+0x340/0x340 [ 52.390437] ? wake_up_klogd+0x99/0xd0 [ 52.394377] ? vprintk_emit+0x1ab/0x690 [ 52.399815] ? error_entry+0x7c/0xe0 [ 52.403518] ? trace_hardirqs_off_caller+0x65/0x220 [ 52.408521] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 52.413349] do_invalid_op+0x1b/0x20 [ 52.417045] invalid_op+0x14/0x20 [ 52.420489] RIP: 0010:debug_print_object+0x168/0x250 [ 52.425581] Code: dd 60 4b 82 87 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 b5 00 00 00 48 8b 14 dd 60 4b 82 87 48 c7 c7 a0 40 82 87 e8 16 27 1a fe <0f> 0b 83 05 fb f4 18 06 01 48 83 c4 20 5b 41 5c 41 5d 41 5e 5d c3 [ 52.444471] RSP: 0018:ffff88809714f8d8 EFLAGS: 00010086 [ 52.449861] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000 [ 52.457114] RDX: 0000000000000000 RSI: ffffffff81553f06 RDI: ffffed1012e29f0d [ 52.464381] RBP: ffff88809714f918 R08: ffff888087674380 R09: ffffed1015d03ee3 [ 52.471647] R10: ffffed1015d03ee2 R11: ffff8880ae81f717 R12: 0000000000000001 [ 52.478898] R13: ffffffff887aaac0 R14: ffffffff815ab490 R15: ffff8880a6598368 [ 52.486156] ? __internal_add_timer+0x1f0/0x1f0 [ 52.490810] ? vprintk_func+0x86/0x189 [ 52.494700] ? debug_print_object+0x168/0x250 [ 52.499180] debug_check_no_obj_freed+0x29f/0x464 [ 52.504025] kfree+0xbd/0x220 [ 52.507114] rfcomm_dlc_free+0x20/0x30 [ 52.510984] rfcomm_dev_ioctl+0x181f/0x1b60 [ 52.515393] ? __local_bh_enable_ip+0x15a/0x270 [ 52.520061] ? lock_sock_nested+0xe2/0x120 [ 52.524276] ? __local_bh_enable_ip+0x15a/0x270 [ 52.528928] ? rfcomm_dev_state_change+0x150/0x150 [ 52.533841] ? __local_bh_enable_ip+0x15a/0x270 [ 52.538511] rfcomm_sock_ioctl+0x90/0xb0 [ 52.542556] sock_do_ioctl+0xd8/0x2f0 [ 52.546342] ? compat_ifr_data_ioctl+0x160/0x160 [ 52.551079] ? __lock_acquire+0x6ee/0x49c0 [ 52.555311] ? rcu_read_lock_sched_held+0x110/0x130 [ 52.560324] ? kmem_cache_alloc+0x32a/0x700 [ 52.564632] sock_ioctl+0x325/0x610 [ 52.568240] ? dlci_ioctl_set+0x40/0x40 [ 52.572195] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 52.577719] ? __might_sleep+0x95/0x190 [ 52.581676] ? find_held_lock+0x35/0x130 [ 52.585736] ? dlci_ioctl_set+0x40/0x40 [ 52.589696] do_vfs_ioctl+0xd5f/0x1380 [ 52.593569] ? selinux_file_ioctl+0x46f/0x5e0 [ 52.598047] ? selinux_file_ioctl+0x125/0x5e0 [ 52.602544] ? ioctl_preallocate+0x210/0x210 [ 52.606933] ? selinux_file_mprotect+0x620/0x620 [ 52.611677] ? __sanitizer_cov_trace_cmp1+0xb/0x20 [ 52.616587] ? __fd_install+0x200/0x640 [ 52.620557] ? fd_install+0x4d/0x60 [ 52.624184] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 52.629706] ? security_file_ioctl+0x8d/0xc0 [ 52.634095] ksys_ioctl+0xab/0xd0 [ 52.637531] __x64_sys_ioctl+0x73/0xb0 [ 52.641403] do_syscall_64+0xfd/0x620 [ 52.645192] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.650374] RIP: 0033:0x441229 [ 52.653551] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 52.672699] RSP: 002b:00007ffcc310d278 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 52.680392] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441229 [ 52.687661] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000004 [ 52.694928] RBP: 000000000000cc18 R08: 00000000004002c8 R09: 00000000004002c8 [ 52.702193] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402050 [ 52.709453] R13: 00000000004020e0 R14: 0000000000000000 R15: 0000000000000000 [ 52.716725] [ 52.716728] ====================================================== [ 52.716731] WARNING: possible circular locking dependency detected [ 52.716733] 4.19.80 #0 Not tainted [ 52.716737] ------------------------------------------------------ [ 52.716740] syz-executor383/7451 is trying to acquire lock: [ 52.716742] 00000000fef20598 ((console_sem).lock){-...}, at: down_trylock+0x13/0x70 [ 52.716750] [ 52.716753] but task is already holding lock: [ 52.716755] 00000000f3038f17 (&obj_hash[i].lock){-.-.}, at: debug_check_no_obj_freed+0xbe/0x464 [ 52.716763] [ 52.716766] which lock already depends on the new lock. [ 52.716767] [ 52.716769] [ 52.716772] the existing dependency chain (in reverse order) is: [ 52.716773] [ 52.716774] -> #3 (&obj_hash[i].lock){-.-.}: [ 52.716783] _raw_spin_lock_irqsave+0x95/0xcd [ 52.716785] __debug_object_init+0xc6/0xc30 [ 52.716788] debug_object_init+0x16/0x20 [ 52.716790] hrtimer_init+0x2a/0x300 [ 52.716792] init_dl_task_timer+0x1b/0x50 [ 52.716795] __sched_fork+0x22a/0x4b0 [ 52.716797] init_idle+0x75/0x800 [ 52.716799] sched_init+0x952/0x9f0 [ 52.716801] start_kernel+0x402/0x8c5 [ 52.716804] x86_64_start_reservations+0x29/0x2b [ 52.716806] x86_64_start_kernel+0x77/0x7b [ 52.716809] secondary_startup_64+0xa4/0xb0 [ 52.716810] [ 52.716811] -> #2 (&rq->lock){-.-.}: [ 52.716819] _raw_spin_lock+0x2f/0x40 [ 52.716822] task_fork_fair+0x6a/0x520 [ 52.716824] sched_fork+0x3af/0x900 [ 52.716826] copy_process.part.0+0x1859/0x7a30 [ 52.716829] _do_fork+0x257/0xfd0 [ 52.716831] kernel_thread+0x34/0x40 [ 52.716833] rest_init+0x24/0x222 [ 52.716835] start_kernel+0x88c/0x8c5 [ 52.716838] x86_64_start_reservations+0x29/0x2b [ 52.716840] x86_64_start_kernel+0x77/0x7b [ 52.716843] secondary_startup_64+0xa4/0xb0 [ 52.716844] [ 52.716845] -> #1 (&p->pi_lock){-.-.}: [ 52.716853] _raw_spin_lock_irqsave+0x95/0xcd [ 52.716856] try_to_wake_up+0x94/0xf50 [ 52.716858] wake_up_process+0x10/0x20 [ 52.716860] __up.isra.0+0x136/0x1a0 [ 52.716862] up+0x9c/0xe0 [ 52.716865] __up_console_sem+0xb7/0x1c0 [ 52.716867] console_unlock+0x6c7/0x10b0 [ 52.716869] do_con_write.part.0+0xeec/0x1eb0 [ 52.716872] con_write+0x46/0xd0 [ 52.716874] n_tty_write+0x3f9/0x10f0 [ 52.716876] tty_write+0x458/0x7a0 [ 52.716878] __vfs_write+0x114/0x810 [ 52.716880] vfs_write+0x20c/0x560 [ 52.716883] ksys_write+0x14f/0x2d0 [ 52.716885] __x64_sys_write+0x73/0xb0 [ 52.716887] do_syscall_64+0xfd/0x620 [ 52.716890] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.716891] [ 52.716892] -> #0 ((console_sem).lock){-...}: [ 52.716901] lock_acquire+0x16f/0x3f0 [ 52.716903] _raw_spin_lock_irqsave+0x95/0xcd [ 52.716905] down_trylock+0x13/0x70 [ 52.716908] __down_trylock_console_sem+0xa8/0x210 [ 52.716911] console_trylock+0x15/0xa0 [ 52.716913] vprintk_emit+0x21d/0x690 [ 52.716915] vprintk_default+0x28/0x30 [ 52.716917] vprintk_func+0x7e/0x189 [ 52.716920] printk+0xba/0xed [ 52.716922] __warn_printk+0x9b/0xf3 [ 52.716924] debug_print_object+0x168/0x250 [ 52.716927] debug_check_no_obj_freed+0x29f/0x464 [ 52.716929] kfree+0xbd/0x220 [ 52.716931] rfcomm_dlc_free+0x20/0x30 [ 52.716934] rfcomm_dev_ioctl+0x181f/0x1b60 [ 52.716936] rfcomm_sock_ioctl+0x90/0xb0 [ 52.716939] sock_do_ioctl+0xd8/0x2f0 [ 52.716941] sock_ioctl+0x325/0x610 [ 52.716943] do_vfs_ioctl+0xd5f/0x1380 [ 52.716945] ksys_ioctl+0xab/0xd0 [ 52.716948] __x64_sys_ioctl+0x73/0xb0 [ 52.716950] do_syscall_64+0xfd/0x620 [ 52.716953] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.716954] [ 52.716957] other info that might help us debug this: [ 52.716958] [ 52.716960] Chain exists of: [ 52.716961] (console_sem).lock --> &rq->lock --> &obj_hash[i].lock [ 52.716971] [ 52.716974] Possible unsafe locking scenario: [ 52.716975] [ 52.716977] CPU0 CPU1 [ 52.716980] ---- ---- [ 52.716981] lock(&obj_hash[i].lock); [ 52.716987] lock(&rq->lock); [ 52.716996] lock(&obj_hash[i].lock); [ 52.717004] lock((console_sem).lock); [ 52.717012] [ 52.717015] *** DEADLOCK *** [ 52.717018] [ 52.717022] 3 locks held by syz-executor383/7451: [ 52.717024] #0: 00000000e4974c19 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}, at: rfcomm_sock_ioctl+0x82/0xb0 [ 52.717041] #1: 000000000ac8fc0c (rfcomm_ioctl_mutex){+.+.}, at: rfcomm_dev_ioctl+0x4f0/0x1b60 [ 52.717051] #2: 00000000f3038f17 (&obj_hash[i].lock){-.-.}, at: debug_check_no_obj_freed+0xbe/0x464 [ 52.717061] [ 52.717063] stack backtrace: [ 52.717066] CPU: 0 PID: 7451 Comm: syz-executor383 Not tainted 4.19.80 #0 [ 52.717071] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.717072] Call Trace: [ 52.717075] dump_stack+0x172/0x1f0 [ 52.717077] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 52.717080] __lock_acquire+0x2e19/0x49c0 [ 52.717082] ? mark_held_locks+0x100/0x100 [ 52.717084] ? kvm_clock_read+0x18/0x30 [ 52.717087] ? kvm_sched_clock_read+0x9/0x20 [ 52.717089] lock_acquire+0x16f/0x3f0 [ 52.717091] ? down_trylock+0x13/0x70 [ 52.717094] _raw_spin_lock_irqsave+0x95/0xcd [ 52.717096] ? down_trylock+0x13/0x70 [ 52.717098] ? vprintk_emit+0x21d/0x690 [ 52.717100] down_trylock+0x13/0x70 [ 52.717103] ? vprintk_emit+0x21d/0x690 [ 52.717105] __down_trylock_console_sem+0xa8/0x210 [ 52.717107] console_trylock+0x15/0xa0 [ 52.717110] vprintk_emit+0x21d/0x690 [ 52.717112] ? __internal_add_timer+0x1f0/0x1f0 [ 52.717115] vprintk_default+0x28/0x30 [ 52.717117] vprintk_func+0x7e/0x189 [ 52.717119] printk+0xba/0xed [ 52.717121] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 52.717124] ? __warn_printk+0x8f/0xf3 [ 52.717126] ? rfcomm_session_add+0x300/0x300 [ 52.717128] __warn_printk+0x9b/0xf3 [ 52.717130] ? add_taint.cold+0x16/0x16 [ 52.717133] ? skb_dequeue+0x12e/0x180 [ 52.717135] ? rfcomm_session_add+0x300/0x300 [ 52.717138] debug_print_object+0x168/0x250 [ 52.717140] debug_check_no_obj_freed+0x29f/0x464 [ 52.717142] kfree+0xbd/0x220 [ 52.717145] rfcomm_dlc_free+0x20/0x30 [ 52.717147] rfcomm_dev_ioctl+0x181f/0x1b60 [ 52.717150] ? __local_bh_enable_ip+0x15a/0x270 [ 52.717152] ? lock_sock_nested+0xe2/0x120 [ 52.717154] ? __local_bh_enable_ip+0x15a/0x270 [ 52.717157] ? rfcomm_dev_state_change+0x150/0x150 [ 52.717160] ? __local_bh_enable_ip+0x15a/0x270 [ 52.717162] rfcomm_sock_ioctl+0x90/0xb0 [ 52.717164] sock_do_ioctl+0xd8/0x2f0 [ 52.717167] ? compat_ifr_data_ioctl+0x160/0x160 [ 52.717169] ? __lock_acquire+0x6ee/0x49c0 [ 52.717172] ? rcu_read_lock_sched_held+0x110/0x130 [ 52.717174] ? kmem_cache_alloc+0x32a/0x700 [ 52.717176] sock_ioctl+0x325/0x610 [ 52.717179] ? dlci_ioctl_set+0x40/0x40 [ 52.717182] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 52.717184] ? __might_sleep+0x95/0x190 [ 52.717186] ? find_held_lock+0x35/0x130 [ 52.717189] ? dlci_ioctl_set+0x40/0x40 [ 52.717191] do_vfs_ioctl+0xd5f/0x1380 [ 52.717193] ? selinux_file_ioctl+0x46f/0x5e0 [ 52.717196] ? selinux_file_ioctl+0x125/0x5e0 [ 52.717198] ? ioctl_preallocate+0x210/0x210 [ 52.717201] ? selinux_file_mprotect+0x620/0x620 [ 52.717204] ? __sanitizer_cov_trace_cmp1+0xb/0x20 [ 52.717206] ? __fd_install+0x200/0x640 [ 52.717208] ? fd_install+0x4d/0x60 [ 52.717211] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 52.717213] ? security_file_ioctl+0x8d/0xc0 [ 52.717216] ksys_ioctl+0xab/0xd0 [ 52.717218] __x64_sys_ioctl+0x73/0xb0 [ 52.717220] do_syscall_64+0xfd/0x620 [ 52.717223] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.717225] RIP: 0033:0x441229 [ 52.717233] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 52.717236] RSP: 002b:00007ffcc310d278 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 52.717242] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441229 [ 52.717245] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000004 [ 52.717249] RBP: 000000000000cc18 R08: 00000000004002c8 R09: 00000000004002c8 [ 52.717252] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402050 [ 52.717256] R13: 00000000004020e0 R14: 0000000000000000 R15: 0000000000000000 [ 52.718533] Kernel Offset: disabled [ 53.550128] Rebooting in 86400 seconds..