[ 40.393334] audit: type=1800 audit(1572414058.330:30): pid=7372 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2490 res=0 [ 40.434501] audit: type=1800 audit(1572414058.340:31): pid=7372 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2469 res=0 Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.25' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 50.181613] kauditd_printk_skb: 4 callbacks suppressed [ 50.181636] audit: type=1400 audit(1572414068.150:36): avc: denied { map } for pid=7559 comm="syz-executor873" path="/root/syz-executor873622286" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 55.194983] ------------[ cut here ]------------ [ 55.200862] ODEBUG: free active (active state 0) object type: timer_list hint: rfcomm_dlc_timeout+0x0/0x80 [ 55.211234] WARNING: CPU: 1 PID: 7562 at lib/debugobjects.c:325 debug_print_object+0x168/0x250 [ 55.220110] Kernel panic - not syncing: panic_on_warn set ... [ 55.220110] [ 55.227531] CPU: 1 PID: 7562 Comm: syz-executor873 Not tainted 4.19.81 #0 [ 55.234605] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.244429] Call Trace: [ 55.247596] dump_stack+0x172/0x1f0 [ 55.251287] panic+0x26a/0x50e [ 55.254632] ? __warn_printk+0xf3/0xf3 [ 55.258547] ? debug_print_object+0x168/0x250 [ 55.263047] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 55.268596] ? __warn.cold+0x5/0x53 [ 55.272230] ? __warn+0xe8/0x1d0 [ 55.275609] ? debug_print_object+0x168/0x250 [ 55.280094] __warn.cold+0x20/0x53 [ 55.283620] ? trace_hardirqs_off+0x62/0x220 [ 55.288017] ? debug_print_object+0x168/0x250 [ 55.292513] report_bug+0x263/0x2b0 [ 55.296131] do_error_trap+0x204/0x360 [ 55.300064] ? math_error+0x340/0x340 [ 55.303855] ? wake_up_klogd+0x99/0xd0 [ 55.307735] ? vprintk_emit+0x1ab/0x690 [ 55.311703] ? error_entry+0x7c/0xe0 [ 55.315418] ? trace_hardirqs_off_caller+0x65/0x220 [ 55.320424] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 55.325269] do_invalid_op+0x1b/0x20 [ 55.328969] invalid_op+0x14/0x20 [ 55.332413] RIP: 0010:debug_print_object+0x168/0x250 [ 55.337664] Code: dd a0 4b 82 87 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 b5 00 00 00 48 8b 14 dd a0 4b 82 87 48 c7 c7 e0 40 82 87 e8 66 28 1a fe <0f> 0b 83 05 4b f5 18 06 01 48 83 c4 20 5b 41 5c 41 5d 41 5e 5d c3 [ 55.357553] RSP: 0018:ffff88808a49f8d8 EFLAGS: 00010086 [ 55.362919] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000 [ 55.370664] RDX: 0000000000000000 RSI: ffffffff81553f06 RDI: ffffed1011493f0d [ 55.378130] RBP: ffff88808a49f918 R08: ffff888097cbe640 R09: ffffed1015d23ee3 [ 55.385542] R10: ffffed1015d23ee2 R11: ffff8880ae91f717 R12: 0000000000000001 [ 55.392946] R13: ffffffff887aaac0 R14: ffffffff815ab490 R15: ffff88808fc9d5a8 [ 55.400222] ? __internal_add_timer+0x1f0/0x1f0 [ 55.404997] ? vprintk_func+0x86/0x189 [ 55.409688] ? debug_print_object+0x168/0x250 [ 55.414462] debug_check_no_obj_freed+0x29f/0x464 [ 55.419327] kfree+0xbd/0x220 [ 55.422453] rfcomm_dlc_free+0x20/0x30 [ 55.426516] rfcomm_dev_ioctl+0x181f/0x1b60 [ 55.430969] ? __local_bh_enable_ip+0x15a/0x270 [ 55.435651] ? lock_sock_nested+0xe2/0x120 [ 55.439964] ? __local_bh_enable_ip+0x15a/0x270 [ 55.445008] ? rfcomm_dev_state_change+0x150/0x150 [ 55.451213] ? __local_bh_enable_ip+0x15a/0x270 [ 55.456072] rfcomm_sock_ioctl+0x90/0xb0 [ 55.460239] sock_do_ioctl+0xd8/0x2f0 [ 55.464079] ? compat_ifr_data_ioctl+0x160/0x160 [ 55.468946] ? __lock_acquire+0x6ee/0x49c0 [ 55.473185] ? rcu_read_lock_sched_held+0x110/0x130 [ 55.478222] ? kmem_cache_alloc+0x32a/0x700 [ 55.482557] sock_ioctl+0x325/0x610 [ 55.486199] ? dlci_ioctl_set+0x40/0x40 [ 55.490170] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 55.495710] ? __might_sleep+0x95/0x190 [ 55.499676] ? find_held_lock+0x35/0x130 [ 55.503743] ? dlci_ioctl_set+0x40/0x40 [ 55.507718] do_vfs_ioctl+0xd5f/0x1380 [ 55.511621] ? selinux_file_ioctl+0x46f/0x5e0 [ 55.516126] ? selinux_file_ioctl+0x125/0x5e0 [ 55.520629] ? ioctl_preallocate+0x210/0x210 [ 55.525047] ? selinux_file_mprotect+0x620/0x620 [ 55.530052] ? __sanitizer_cov_trace_cmp1+0xb/0x20 [ 55.535099] ? __fd_install+0x200/0x640 [ 55.539159] ? fd_install+0x4d/0x60 [ 55.542808] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 55.548357] ? security_file_ioctl+0x8d/0xc0 [ 55.552768] ksys_ioctl+0xab/0xd0 [ 55.556227] __x64_sys_ioctl+0x73/0xb0 [ 55.560108] do_syscall_64+0xfd/0x620 [ 55.565047] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.570243] RIP: 0033:0x441229 [ 55.573431] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 55.592472] RSP: 002b:00007ffdece66c98 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 55.600188] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441229 [ 55.607468] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000004 [ 55.615275] RBP: 000000000000d77e R08: 00000000004002c8 R09: 00000000004002c8 [ 55.622552] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402050 [ 55.629890] R13: 00000000004020e0 R14: 0000000000000000 R15: 0000000000000000 [ 55.637298] [ 55.637302] ====================================================== [ 55.637305] WARNING: possible circular locking dependency detected [ 55.637307] 4.19.81 #0 Not tainted [ 55.637311] ------------------------------------------------------ [ 55.637314] syz-executor873/7562 is trying to acquire lock: [ 55.637375] 00000000b90dc6c0 ((console_sem).lock){-.-.}, at: down_trylock+0x13/0x70 [ 55.637387] [ 55.637389] but task is already holding lock: [ 55.637391] 00000000bda1ad4b (&obj_hash[i].lock){-.-.}, at: debug_check_no_obj_freed+0xbe/0x464 [ 55.637400] [ 55.637403] which lock already depends on the new lock. [ 55.637404] [ 55.637406] [ 55.637409] the existing dependency chain (in reverse order) is: [ 55.637410] [ 55.637412] -> #3 (&obj_hash[i].lock){-.-.}: [ 55.637420] _raw_spin_lock_irqsave+0x95/0xcd [ 55.637423] __debug_object_init+0xc6/0xc30 [ 55.637426] debug_object_init+0x16/0x20 [ 55.637428] hrtimer_init+0x2a/0x300 [ 55.637431] init_dl_task_timer+0x1b/0x50 [ 55.637433] __sched_fork+0x22a/0x4b0 [ 55.637435] init_idle+0x75/0x800 [ 55.637437] sched_init+0x952/0x9f0 [ 55.637440] start_kernel+0x402/0x8c5 [ 55.637443] x86_64_start_reservations+0x29/0x2b [ 55.637445] x86_64_start_kernel+0x77/0x7b [ 55.637448] secondary_startup_64+0xa4/0xb0 [ 55.637449] [ 55.637450] -> #2 (&rq->lock){-.-.}: [ 55.637459] _raw_spin_lock+0x2f/0x40 [ 55.637461] task_fork_fair+0x6a/0x520 [ 55.637463] sched_fork+0x3af/0x900 [ 55.637466] copy_process.part.0+0x1859/0x7a30 [ 55.637468] _do_fork+0x257/0xfd0 [ 55.637470] kernel_thread+0x34/0x40 [ 55.637473] rest_init+0x24/0x222 [ 55.637475] start_kernel+0x88c/0x8c5 [ 55.637478] x86_64_start_reservations+0x29/0x2b [ 55.637480] x86_64_start_kernel+0x77/0x7b [ 55.637483] secondary_startup_64+0xa4/0xb0 [ 55.637484] [ 55.637485] -> #1 (&p->pi_lock){-.-.}: [ 55.637494] _raw_spin_lock_irqsave+0x95/0xcd [ 55.637496] try_to_wake_up+0x94/0xf50 [ 55.637498] wake_up_process+0x10/0x20 [ 55.637501] __up.isra.0+0x136/0x1a0 [ 55.637503] up+0x9c/0xe0 [ 55.637505] __up_console_sem+0xb7/0x1c0 [ 55.637508] console_unlock+0x6c7/0x10b0 [ 55.637510] vprintk_emit+0x238/0x690 [ 55.637513] vprintk_default+0x28/0x30 [ 55.637515] vprintk_func+0x7e/0x189 [ 55.637517] printk+0xba/0xed [ 55.637520] kauditd_hold_skb.cold+0x3f/0x4e [ 55.637522] kauditd_send_queue+0x12b/0x170 [ 55.637525] kauditd_thread+0x732/0xa60 [ 55.637527] kthread+0x354/0x420 [ 55.637529] ret_from_fork+0x24/0x30 [ 55.637530] [ 55.637532] -> #0 ((console_sem).lock){-.-.}: [ 55.637540] lock_acquire+0x16f/0x3f0 [ 55.637543] _raw_spin_lock_irqsave+0x95/0xcd [ 55.637545] down_trylock+0x13/0x70 [ 55.637548] __down_trylock_console_sem+0xa8/0x210 [ 55.637550] console_trylock+0x15/0xa0 [ 55.637553] vprintk_emit+0x21d/0x690 [ 55.637555] vprintk_default+0x28/0x30 [ 55.637557] vprintk_func+0x7e/0x189 [ 55.637559] printk+0xba/0xed [ 55.637562] __warn_printk+0x9b/0xf3 [ 55.637564] debug_print_object+0x168/0x250 [ 55.637567] debug_check_no_obj_freed+0x29f/0x464 [ 55.637569] kfree+0xbd/0x220 [ 55.637572] rfcomm_dlc_free+0x20/0x30 [ 55.637575] rfcomm_dev_ioctl+0x181f/0x1b60 [ 55.637577] rfcomm_sock_ioctl+0x90/0xb0 [ 55.637580] sock_do_ioctl+0xd8/0x2f0 [ 55.637582] sock_ioctl+0x325/0x610 [ 55.637584] do_vfs_ioctl+0xd5f/0x1380 [ 55.637587] ksys_ioctl+0xab/0xd0 [ 55.637589] __x64_sys_ioctl+0x73/0xb0 [ 55.637592] do_syscall_64+0xfd/0x620 [ 55.637595] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.637596] [ 55.637599] other info that might help us debug this: [ 55.637600] [ 55.637602] Chain exists of: [ 55.637603] (console_sem).lock --> &rq->lock --> &obj_hash[i].lock [ 55.637613] [ 55.637616] Possible unsafe locking scenario: [ 55.637617] [ 55.637620] CPU0 CPU1 [ 55.637622] ---- ---- [ 55.637623] lock(&obj_hash[i].lock); [ 55.637629] lock(&rq->lock); [ 55.637634] lock(&obj_hash[i].lock); [ 55.637639] lock((console_sem).lock); [ 55.637644] [ 55.637646] *** DEADLOCK *** [ 55.637647] [ 55.637649] 3 locks held by syz-executor873/7562: [ 55.637651] #0: 00000000136d202c (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}, at: rfcomm_sock_ioctl+0x82/0xb0 [ 55.637662] #1: 0000000033a9534c (rfcomm_ioctl_mutex){+.+.}, at: rfcomm_dev_ioctl+0x4f0/0x1b60 [ 55.637672] #2: 00000000bda1ad4b (&obj_hash[i].lock){-.-.}, at: debug_check_no_obj_freed+0xbe/0x464 [ 55.637682] [ 55.637684] stack backtrace: [ 55.637688] CPU: 1 PID: 7562 Comm: syz-executor873 Not tainted 4.19.81 #0 [ 55.637692] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.637694] Call Trace: [ 55.637696] dump_stack+0x172/0x1f0 [ 55.637699] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 55.637701] __lock_acquire+0x2e19/0x49c0 [ 55.637704] ? mark_held_locks+0x100/0x100 [ 55.637706] ? kvm_clock_read+0x18/0x30 [ 55.637709] ? kvm_sched_clock_read+0x9/0x20 [ 55.637711] lock_acquire+0x16f/0x3f0 [ 55.637713] ? down_trylock+0x13/0x70 [ 55.637716] _raw_spin_lock_irqsave+0x95/0xcd [ 55.637718] ? down_trylock+0x13/0x70 [ 55.637720] ? vprintk_emit+0x21d/0x690 [ 55.637722] down_trylock+0x13/0x70 [ 55.637725] ? vprintk_emit+0x21d/0x690 [ 55.637727] __down_trylock_console_sem+0xa8/0x210 [ 55.637730] console_trylock+0x15/0xa0 [ 55.637732] vprintk_emit+0x21d/0x690 [ 55.637735] ? __internal_add_timer+0x1f0/0x1f0 [ 55.637737] vprintk_default+0x28/0x30 [ 55.637739] vprintk_func+0x7e/0x189 [ 55.637741] printk+0xba/0xed [ 55.637744] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 55.637746] ? __warn_printk+0x8f/0xf3 [ 55.637749] ? rfcomm_session_add+0x300/0x300 [ 55.637751] __warn_printk+0x9b/0xf3 [ 55.637753] ? add_taint.cold+0x16/0x16 [ 55.637756] ? skb_dequeue+0x12e/0x180 [ 55.637758] ? rfcomm_session_add+0x300/0x300 [ 55.637761] debug_print_object+0x168/0x250 [ 55.637763] debug_check_no_obj_freed+0x29f/0x464 [ 55.637765] kfree+0xbd/0x220 [ 55.637768] rfcomm_dlc_free+0x20/0x30 [ 55.637770] rfcomm_dev_ioctl+0x181f/0x1b60 [ 55.637773] ? __local_bh_enable_ip+0x15a/0x270 [ 55.637775] ? lock_sock_nested+0xe2/0x120 [ 55.637778] ? __local_bh_enable_ip+0x15a/0x270 [ 55.637780] ? rfcomm_dev_state_change+0x150/0x150 [ 55.637783] ? __local_bh_enable_ip+0x15a/0x270 [ 55.637785] rfcomm_sock_ioctl+0x90/0xb0 [ 55.637788] sock_do_ioctl+0xd8/0x2f0 [ 55.637790] ? compat_ifr_data_ioctl+0x160/0x160 [ 55.637793] ? __lock_acquire+0x6ee/0x49c0 [ 55.637796] ? rcu_read_lock_sched_held+0x110/0x130 [ 55.637799] ? kmem_cache_alloc+0x32a/0x700 [ 55.637802] sock_ioctl+0x325/0x610 [ 55.637804] ? dlci_ioctl_set+0x40/0x40 [ 55.637807] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 55.637809] ? __might_sleep+0x95/0x190 [ 55.637812] ? find_held_lock+0x35/0x130 [ 55.637814] ? dlci_ioctl_set+0x40/0x40 [ 55.637817] do_vfs_ioctl+0xd5f/0x1380 [ 55.637819] ? selinux_file_ioctl+0x46f/0x5e0 [ 55.637822] ? selinux_file_ioctl+0x125/0x5e0 [ 55.637824] ? ioctl_preallocate+0x210/0x210 [ 55.637827] ? selinux_file_mprotect+0x620/0x620 [ 55.637830] ? __sanitizer_cov_trace_cmp1+0xb/0x20 [ 55.637833] ? __fd_install+0x200/0x640 [ 55.637835] ? fd_install+0x4d/0x60 [ 55.637838] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 55.637841] ? security_file_ioctl+0x8d/0xc0 [ 55.637859] ksys_ioctl+0xab/0xd0 [ 55.637861] __x64_sys_ioctl+0x73/0xb0 [ 55.637863] do_syscall_64+0xfd/0x620 [ 55.637866] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.637868] RIP: 0033:0x441229 [ 55.637878] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 55.637880] RSP: 002b:00007ffdece66c98 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 55.637887] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441229 [ 55.637890] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000004 [ 55.637894] RBP: 000000000000d77e R08: 00000000004002c8 R09: 00000000004002c8 [ 55.637898] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402050 [ 55.637902] R13: 00000000004020e0 R14: 0000000000000000 R15: 0000000000000000 [ 55.639463] Kernel Offset: disabled [ 56.485123] Rebooting in 86400 seconds..