[ 33.775566] audit: type=1800 audit(1584938494.977:33): pid=7173 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 33.802583] audit: type=1800 audit(1584938494.977:34): pid=7173 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 36.803717] random: sshd: uninitialized urandom read (32 bytes read) [ 37.050935] audit: type=1400 audit(1584938498.257:35): avc: denied { map } for pid=7344 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 37.100518] random: sshd: uninitialized urandom read (32 bytes read) [ 37.811425] random: sshd: uninitialized urandom read (32 bytes read) [ 1021.140821] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.1.42' (ECDSA) to the list of known hosts. [ 1026.656527] random: sshd: uninitialized urandom read (32 bytes read) [ 1026.871393] audit: type=1400 audit(1584939488.077:36): avc: denied { map } for pid=7357 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2020/03/23 04:58:08 parsed 1 programs [ 1027.766803] random: cc1: uninitialized urandom read (8 bytes read) 2020/03/23 04:58:09 executed programs: 0 [ 1028.587318] audit: type=1400 audit(1584939489.787:37): avc: denied { map } for pid=7357 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=1131 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 1028.616429] audit: type=1400 audit(1584939489.807:38): avc: denied { map } for pid=7357 comm="syz-execprog" path="/root/syzkaller-shm618608034" dev="sda1" ino=16461 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 1028.881149] IPVS: ftp: loaded support on port[0] = 21 [ 1029.668690] chnl_net:caif_netlink_parms(): no params data found [ 1029.717624] bridge0: port 1(bridge_slave_0) entered blocking state [ 1029.724134] bridge0: port 1(bridge_slave_0) entered disabled state [ 1029.731923] device bridge_slave_0 entered promiscuous mode [ 1029.738878] bridge0: port 2(bridge_slave_1) entered blocking state [ 1029.745440] bridge0: port 2(bridge_slave_1) entered disabled state [ 1029.752708] device bridge_slave_1 entered promiscuous mode [ 1029.767727] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 1029.776624] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 1029.793143] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 1029.800609] team0: Port device team_slave_0 added [ 1029.806115] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 1029.813282] team0: Port device team_slave_1 added [ 1029.827757] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 1029.834111] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1029.859600] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 1029.871387] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 1029.877708] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1029.902913] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 1029.913470] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 1029.921013] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 1029.972304] device hsr_slave_0 entered promiscuous mode [ 1030.040295] device hsr_slave_1 entered promiscuous mode [ 1030.120736] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 1030.127958] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 1030.177516] audit: type=1400 audit(1584939491.377:39): avc: denied { create } for pid=7374 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 1030.196452] bridge0: port 2(bridge_slave_1) entered blocking state [ 1030.202411] audit: type=1400 audit(1584939491.377:40): avc: denied { write } for pid=7374 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 1030.208640] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1030.232634] audit: type=1400 audit(1584939491.377:41): avc: denied { read } for pid=7374 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 1030.239447] bridge0: port 1(bridge_slave_0) entered blocking state [ 1030.269033] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1030.303113] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 1030.309184] 8021q: adding VLAN 0 to HW filter on device bond0 [ 1030.318143] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 1030.326986] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 1030.346740] bridge0: port 1(bridge_slave_0) entered disabled state [ 1030.353806] bridge0: port 2(bridge_slave_1) entered disabled state [ 1030.363824] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 1030.369907] 8021q: adding VLAN 0 to HW filter on device team0 [ 1030.378575] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 1030.387199] bridge0: port 1(bridge_slave_0) entered blocking state [ 1030.393579] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1030.403734] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 1030.411558] bridge0: port 2(bridge_slave_1) entered blocking state [ 1030.417911] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1030.433023] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 1030.441048] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 1030.449589] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 1030.459998] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 1030.471305] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 1030.482338] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 1030.490744] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 1030.497616] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 1030.511505] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 1030.518782] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 1030.525650] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 1030.536081] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 1030.595401] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 1030.605156] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 1030.638118] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 1030.645842] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 1030.652436] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 1030.662350] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 1030.669670] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 1030.677162] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 1030.684177] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 1030.693499] device veth0_vlan entered promiscuous mode [ 1030.702951] device veth1_vlan entered promiscuous mode [ 1030.716329] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 1030.725050] IPv6: ADDRCONF(NETDEV_UP): veth1_macvtap: link is not ready [ 1030.732584] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 1030.740748] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 1030.749843] device veth0_macvtap entered promiscuous mode [ 1030.756246] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 1030.764293] device veth1_macvtap entered promiscuous mode [ 1030.770823] IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready [ 1030.779912] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 1030.789351] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 1030.798611] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready [ 1030.805957] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 1030.812762] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 1030.819922] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 1030.827262] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 1030.834979] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 1030.845980] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 1030.853163] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 1030.859685] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 1030.867715] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready 2020/03/23 04:58:14 executed programs: 66 2020/03/23 04:58:19 executed programs: 300 2020/03/23 04:58:24 executed programs: 535 2020/03/23 04:58:29 executed programs: 774 2020/03/23 04:58:34 executed programs: 1011 2020/03/23 04:58:39 executed programs: 1248 2020/03/23 04:58:44 executed programs: 1486 2020/03/23 04:58:49 executed programs: 1718 2020/03/23 04:58:54 executed programs: 1954 2020/03/23 04:58:59 executed programs: 2191 2020/03/23 04:59:04 executed programs: 2426 2020/03/23 04:59:09 executed programs: 2661 2020/03/23 04:59:14 executed programs: 2897 2020/03/23 04:59:19 executed programs: 3132 2020/03/23 04:59:24 executed programs: 3368 2020/03/23 04:59:29 executed programs: 3603 2020/03/23 04:59:35 executed programs: 3838 2020/03/23 04:59:40 executed programs: 4072 [ 1119.911425] [ 1119.913083] ====================================================== [ 1119.919373] WARNING: possible circular locking dependency detected [ 1119.925668] 4.14.174-syzkaller #0 Not tainted [ 1119.930138] ------------------------------------------------------ [ 1119.936429] syz-executor.0/23997 is trying to acquire lock: [ 1119.942111] ((&strp->work)){+.+.}, at: [] flush_work+0x82/0x780 [ 1119.949989] [ 1119.949989] but task is already holding lock: [ 1119.956381] (sk_lock-AF_INET){+.+.}, at: [] kcm_ioctl+0x328/0x1010 [ 1119.964436] [ 1119.964436] which lock already depends on the new lock. [ 1119.964436] [ 1119.972729] [ 1119.972729] the existing dependency chain (in reverse order) is: [ 1119.980334] [ 1119.980334] -> #1 (sk_lock-AF_INET){+.+.}: [ 1119.986134] lock_sock_nested+0xb7/0x100 [ 1119.990694] strp_work+0x3e/0x100 [ 1119.994644] process_one_work+0x813/0x1540 [ 1119.999376] worker_thread+0x5d1/0x1070 [ 1120.003884] kthread+0x30d/0x420 [ 1120.007835] ret_from_fork+0x24/0x30 [ 1120.012043] [ 1120.012043] -> #0 ((&strp->work)){+.+.}: [ 1120.017592] lock_acquire+0x170/0x3f0 [ 1120.021888] flush_work+0xae/0x780 [ 1120.025925] __cancel_work_timer+0x2d0/0x460 [ 1120.031133] strp_done+0x53/0xd0 [ 1120.035004] kcm_ioctl+0x856/0x1010 [ 1120.039160] sock_do_ioctl+0x5f/0xa0 [ 1120.043370] sock_ioctl+0x28d/0x450 [ 1120.047554] do_vfs_ioctl+0x75a/0xfe0 [ 1120.051938] SyS_ioctl+0x7f/0xb0 [ 1120.055857] do_syscall_64+0x1d5/0x640 [ 1120.060252] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 1120.065940] [ 1120.065940] other info that might help us debug this: [ 1120.065940] [ 1120.074055] Possible unsafe locking scenario: [ 1120.074055] [ 1120.080090] CPU0 CPU1 [ 1120.084736] ---- ---- [ 1120.089376] lock(sk_lock-AF_INET); [ 1120.093065] lock((&strp->work)); [ 1120.099214] lock(sk_lock-AF_INET); [ 1120.105432] lock((&strp->work)); [ 1120.108965] [ 1120.108965] *** DEADLOCK *** [ 1120.108965] [ 1120.115041] 1 lock held by syz-executor.0/23997: [ 1120.119778] #0: (sk_lock-AF_INET){+.+.}, at: [] kcm_ioctl+0x328/0x1010 [ 1120.128174] [ 1120.128174] stack backtrace: [ 1120.132660] CPU: 0 PID: 23997 Comm: syz-executor.0 Not tainted 4.14.174-syzkaller #0 [ 1120.140692] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1120.150082] Call Trace: [ 1120.152737] dump_stack+0x13e/0x194 [ 1120.156362] print_circular_bug.isra.0.cold+0x1c4/0x282 [ 1120.161715] __lock_acquire+0x2cb3/0x4620 [ 1120.165915] ? trace_hardirqs_on+0x10/0x10 [ 1120.170146] ? kernel_text_address+0x6e/0xe0 [ 1120.174543] ? save_trace+0x290/0x290 [ 1120.178331] ? find_held_lock+0x2d/0x110 [ 1120.182371] lock_acquire+0x170/0x3f0 [ 1120.186154] ? flush_work+0x82/0x780 [ 1120.189853] ? flush_work+0x5f4/0x780 [ 1120.193629] flush_work+0xae/0x780 [ 1120.197189] ? flush_work+0x82/0x780 [ 1120.200961] ? debug_object_init_on_stack+0x20/0x20 [ 1120.205960] ? save_trace+0x290/0x290 [ 1120.209747] ? insert_work+0x2f0/0x2f0 [ 1120.213622] ? find_held_lock+0x2d/0x110 [ 1120.217760] ? del_timer+0xb3/0xe0 [ 1120.221287] ? trigger_dyntick_cpu.isra.0+0x180/0x180 [ 1120.226453] ? mark_held_locks+0xa6/0xf0 [ 1120.230498] ? __cancel_work_timer+0x146/0x460 [ 1120.235115] __cancel_work_timer+0x2d0/0x460 [ 1120.239512] ? cancel_delayed_work+0x20/0x20 [ 1120.243940] ? kcm_ioctl+0x841/0x1010 [ 1120.247746] ? mark_held_locks+0xa6/0xf0 [ 1120.251955] ? __local_bh_enable_ip+0x94/0x190 [ 1120.256537] strp_done+0x53/0xd0 [ 1120.259886] kcm_ioctl+0x856/0x1010 [ 1120.263495] ? kcm_done_work+0x20/0x20 [ 1120.267359] ? trace_hardirqs_on+0x10/0x10 [ 1120.271620] sock_do_ioctl+0x5f/0xa0 [ 1120.275374] sock_ioctl+0x28d/0x450 [ 1120.279101] ? selinux_file_ioctl+0x3f7/0x560 [ 1120.283585] ? dlci_ioctl_set+0x30/0x30 [ 1120.287557] do_vfs_ioctl+0x75a/0xfe0 [ 1120.291341] ? selinux_file_mprotect+0x5c0/0x5c0 [ 1120.296157] ? ioctl_preallocate+0x1a0/0x1a0 [ 1120.300601] ? security_file_ioctl+0x76/0xb0 [ 1120.304987] ? security_file_ioctl+0x83/0xb0 [ 1120.309372] SyS_ioctl+0x7f/0xb0 [ 1120.312728] ? do_vfs_ioctl+0xfe0/0xfe0 [ 1120.316689] do_syscall_64+0x1d5/0x640 [ 1120.320559] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 1120.325725] RIP: 0033:0x45c849 [ 1120.328890] RSP: 002b:00007f0a52658c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 1120.336571] RAX: ffffffffffffffda RBX: 00007f0a526596d4 RCX: 000000000045c849 [ 1120.343916] RDX: 0000000020000380 RSI: 00000000000089e0 RDI: 0000000000000006 [ 1120.351164] RBP: 000000000076c040 R08: 0000000000000000 R09: 0000000000000000 [ 1120.358410] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 1120.365655] R13: 00000000000006d7 R14: 00000000004c99db R15: 000000000076c04c 2020/03/23 04:59:45 executed programs: 4343 2020/03/23 04:59:50 executed programs: 4659