[....] Starting enhanced syslogd: rsyslogd[ 15.305526] audit: type=1400 audit(1518490849.970:5): avc: denied { syslog } for pid=3996 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.344211] audit: type=1400 audit(1518490855.009:6): avc: denied { map } for pid=4137 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.15.209' (ECDSA) to the list of known hosts. executing program [ 26.628770] audit: type=1400 audit(1518490861.293:7): avc: denied { map } for pid=4151 comm="syzkaller931127" path="/root/syzkaller931127339" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 26.658852] ------------[ cut here ]------------ [ 26.664280] ODEBUG: free active (active state 0) object type: timer_list hint: led_timeout_callback+0x0/0x20 [ 26.674302] WARNING: CPU: 1 PID: 4151 at lib/debugobjects.c:291 debug_print_object+0x166/0x220 [ 26.683025] Kernel panic - not syncing: panic_on_warn set ... [ 26.683025] [ 26.690367] CPU: 1 PID: 4151 Comm: syzkaller931127 Not tainted 4.16.0-rc1+ #223 [ 26.697892] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.707242] Call Trace: [ 26.709834] dump_stack+0x194/0x257 [ 26.713455] ? arch_local_irq_restore+0x53/0x53 [ 26.718114] ? vsnprintf+0x1ed/0x1900 [ 26.721891] panic+0x1e4/0x41c [ 26.725056] ? refcount_error_report+0x214/0x214 [ 26.729783] ? show_regs_print_info+0x18/0x18 [ 26.734260] ? __warn+0x1c1/0x200 [ 26.737690] ? debug_print_object+0x166/0x220 [ 26.742154] __warn+0x1dc/0x200 [ 26.745403] ? debug_print_object+0x166/0x220 [ 26.749878] report_bug+0x211/0x2d0 [ 26.753478] fixup_bug.part.11+0x37/0x80 [ 26.757508] do_error_trap+0x2d7/0x3e0 [ 26.761367] ? vprintk_default+0x28/0x30 [ 26.765415] ? math_error+0x400/0x400 [ 26.769186] ? printk+0xaa/0xca [ 26.772440] ? show_regs_print_info+0x18/0x18 [ 26.776909] ? lock_release+0xa40/0xa40 [ 26.780858] ? __internal_add_timer+0x2d0/0x2d0 [ 26.785502] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 26.790329] ? __internal_add_timer+0x2d0/0x2d0 [ 26.794970] do_invalid_op+0x1b/0x20 [ 26.798658] invalid_op+0x22/0x40 [ 26.802083] RIP: 0010:debug_print_object+0x166/0x220 [ 26.807153] RSP: 0018:ffff8801b942f630 EFLAGS: 00010082 [ 26.812487] RAX: dffffc0000000008 RBX: 0000000000000003 RCX: ffffffff815aaf3e [ 26.819728] RDX: 0000000000000000 RSI: 1ffff10037285e76 RDI: 1ffff10037285e4b [ 26.826969] RBP: ffff8801b942f670 R08: 0000000000000000 R09: 1ffff10037285e1d [ 26.834208] R10: ffffed0037285ef5 R11: ffffffff86b39478 R12: 0000000000000001 [ 26.841449] R13: ffffffff86b4ace0 R14: ffffffff86007c60 R15: ffffffff815fd9a0 [ 26.848693] ? __internal_add_timer+0x2d0/0x2d0 [ 26.853339] ? vprintk_func+0x5e/0xc0 [ 26.857116] debug_check_no_obj_freed+0x662/0xf1f [ 26.861936] ? free_obj_work+0x690/0x690 [ 26.865966] ? up_read+0x40/0x40 [ 26.869302] ? wait_for_completion+0x770/0x770 [ 26.873857] ? up_read+0x1a/0x40 [ 26.877195] ? __lock_is_held+0xb6/0x140 [ 26.881229] ? debug_check_no_locks_freed+0x264/0x3c0 [ 26.886392] kfree+0xc7/0x260 [ 26.889473] led_tg_destroy+0x28a/0x3f0 [ 26.893415] ? state_mt+0x100/0x100 [ 26.897012] ? cleanup_match+0x198/0x220 [ 26.901043] ? hmark_tg_v4+0xfa0/0xfa0 [ 26.904905] ? hmark_tg_v4+0xfa0/0xfa0 [ 26.908763] cleanup_entry+0x218/0x350 [ 26.912622] ? cleanup_match+0x220/0x220 [ 26.916656] ? trace_event_raw_event_sched_switch+0x810/0x810 [ 26.922509] ? find_next_bit+0x52/0x100 [ 26.926455] __do_replace+0x79d/0xa50 [ 26.930231] ? compat_table_info+0x470/0x470 [ 26.934612] ? kasan_check_write+0x14/0x20 [ 26.938816] ? _copy_from_user+0x99/0x110 [ 26.942936] do_ipt_set_ctl+0x40f/0x5f0 [ 26.946884] ? translate_compat_table+0x1b90/0x1b90 [ 26.951889] ? mutex_unlock+0xd/0x10 [ 26.955574] ? nf_sockopt_find.constprop.0+0x1a7/0x220 [ 26.960820] nf_setsockopt+0x67/0xc0 [ 26.964510] ip_setsockopt+0x97/0xa0 [ 26.968196] tcp_setsockopt+0x82/0xd0 [ 26.971986] sock_common_setsockopt+0x95/0xd0 [ 26.976454] SyS_setsockopt+0x189/0x360 [ 26.980399] ? SyS_recv+0x40/0x40 [ 26.983828] ? mm_fault_error+0x2c0/0x2c0 [ 26.987948] ? move_addr_to_kernel+0x60/0x60 [ 26.992328] ? do_syscall_64+0xb7/0x940 [ 26.996273] ? SyS_recv+0x40/0x40 [ 26.999695] do_syscall_64+0x282/0x940 [ 27.003552] ? __do_page_fault+0xc90/0xc90 [ 27.007757] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 27.012484] ? syscall_return_slowpath+0x550/0x550 [ 27.017384] ? syscall_return_slowpath+0x2ac/0x550 [ 27.022282] ? prepare_exit_to_usermode+0x350/0x350 [ 27.027269] ? retint_user+0x18/0x18 [ 27.030968] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 27.035785] entry_SYSCALL_64_after_hwframe+0x26/0x9b [ 27.040952] RIP: 0033:0x444aca [ 27.044122] RSP: 002b:00007ffeeaa90e18 EFLAGS: 00000206 ORIG_RAX: 0000000000000036 [ 27.051812] RAX: ffffffffffffffda RBX: 00000000006cf9c0 RCX: 0000000000444aca [ 27.059060] RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003 [ 27.066309] RBP: 00000000006cf9c0 R08: 00000000000002d8 R09: 0000000000004000 [ 27.073549] R10: 00000000006cf960 R11: 0000000000000206 R12: 00007ffeeaa90e40 [ 27.080800] R13: 00000000006d1b80 R14: 0000000000000003 R15: 0000000000000000 [ 27.088054] [ 27.088055] ====================================================== [ 27.088057] WARNING: possible circular locking dependency detected [ 27.088058] 4.16.0-rc1+ #223 Not tainted [ 27.088060] ------------------------------------------------------ [ 27.088062] syzkaller931127/4151 is trying to acquire lock: [ 27.088062] ((console_sem).lock){..-.}, at: [<000000002058f59f>] down_trylock+0x13/0x70 [ 27.088070] [ 27.088071] but task is already holding lock: [ 27.088072] (&obj_hash[i].lock){-.-.}, at: [<000000001414457a>] debug_check_no_obj_freed+0x1e9/0xf1f [ 27.088076] [ 27.088077] which lock already depends on the new lock. [ 27.088078] [ 27.088079] [ 27.088080] the existing dependency chain (in reverse order) is: [ 27.088081] [ 27.088082] -> #3 (&obj_hash[i].lock){-.-.}: [ 27.088086] _raw_spin_lock_irqsave+0x96/0xc0 [ 27.088088] __debug_object_init+0x109/0x1040 [ 27.088089] debug_object_init+0x17/0x20 [ 27.088090] hrtimer_init+0x8c/0x410 [ 27.088091] init_dl_task_timer+0x1b/0x50 [ 27.088092] __sched_fork+0x2bb/0xb60 [ 27.088093] init_idle+0x75/0x820 [ 27.088095] sched_init+0xb19/0xc43 [ 27.088096] start_kernel+0x452/0x819 [ 27.088097] x86_64_start_reservations+0x2a/0x2c [ 27.088099] x86_64_start_kernel+0x77/0x7a [ 27.088100] secondary_startup_64+0xa5/0xb0 [ 27.088101] [ 27.088101] -> #2 (&rq->lock){-.-.}: [ 27.088105] _raw_spin_lock+0x2a/0x40 [ 27.088106] task_fork_fair+0x7a/0x690 [ 27.088108] sched_fork+0x450/0xc10 [ 27.088109] copy_process.part.37+0x1758/0x4b60 [ 27.088110] _do_fork+0x1f7/0xf70 [ 27.088111] kernel_thread+0x34/0x40 [ 27.088112] rest_init+0x22/0xf0 [ 27.088114] start_kernel+0x7f1/0x819 [ 27.088115] x86_64_start_reservations+0x2a/0x2c [ 27.088116] x86_64_start_kernel+0x77/0x7a [ 27.088118] secondary_startup_64+0xa5/0xb0 [ 27.088118] [ 27.088119] -> #1 (&p->pi_lock){-.-.}: [ 27.088123] _raw_spin_lock_irqsave+0x96/0xc0 [ 27.088124] try_to_wake_up+0xbc/0x15f0 [ 27.088126] wake_up_process+0x10/0x20 [ 27.088127] __up.isra.0+0x1cc/0x2c0 [ 27.088128] up+0x13b/0x1d0 [ 27.088129] __up_console_sem+0xb2/0x1a0 [ 27.088130] console_unlock+0x5af/0xfb0 [ 27.088131] vprintk_emit+0x5c3/0xb90 [ 27.088133] vprintk_default+0x28/0x30 [ 27.088134] vprintk_func+0x57/0xc0 [ 27.088135] printk+0xaa/0xca [ 27.088136] kauditd_hold_skb+0x163/0x180 [ 27.088137] kauditd_send_queue+0xfa/0x140 [ 27.088139] kauditd_thread+0x660/0x940 [ 27.088140] kthread+0x33c/0x400 [ 27.088141] ret_from_fork+0x3a/0x50 [ 27.088142] [ 27.088142] -> #0 ((console_sem).lock){..-.}: [ 27.088146] lock_acquire+0x1d5/0x580 [ 27.088148] _raw_spin_lock_irqsave+0x96/0xc0 [ 27.088149] down_trylock+0x13/0x70 [ 27.088151] __down_trylock_console_sem+0xa2/0x1e0 [ 27.088152] console_trylock+0x15/0x70 [ 27.088153] vprintk_emit+0x5b5/0xb90 [ 27.088154] vprintk_default+0x28/0x30 [ 27.088156] vprintk_func+0x57/0xc0 [ 27.088157] printk+0xaa/0xca [ 27.088158] __warn_printk+0x90/0xf0 [ 27.088159] debug_print_object+0x166/0x220 [ 27.088160] debug_check_no_obj_freed+0x662/0xf1f [ 27.088162] kfree+0xc7/0x260 [ 27.088163] led_tg_destroy+0x28a/0x3f0 [ 27.088164] cleanup_entry+0x218/0x350 [ 27.088165] __do_replace+0x79d/0xa50 [ 27.088166] do_ipt_set_ctl+0x40f/0x5f0 [ 27.088168] nf_setsockopt+0x67/0xc0 [ 27.088169] ip_setsockopt+0x97/0xa0 [ 27.088170] tcp_setsockopt+0x82/0xd0 [ 27.088171] sock_common_setsockopt+0x95/0xd0 [ 27.088173] SyS_setsockopt+0x189/0x360 [ 27.088174] do_syscall_64+0x282/0x940 [ 27.088175] entry_SYSCALL_64_after_hwframe+0x26/0x9b [ 27.088176] [ 27.088177] other info that might help us debug this: [ 27.088178] [ 27.088179] Chain exists of: [ 27.088180] (console_sem).lock --> &rq->lock --> &obj_hash[i].lock [ 27.088185] [ 27.088186] Possible unsafe locking scenario: [ 27.088187] [ 27.088188] CPU0 CPU1 [ 27.088189] ---- ---- [ 27.088190] lock(&obj_hash[i].lock); [ 27.088193] lock(&rq->lock); [ 27.088195] lock(&obj_hash[i].lock); [ 27.088198] lock((console_sem).lock); [ 27.088200] [ 27.088201] *** DEADLOCK *** [ 27.088202] [ 27.088203] 2 locks held by syzkaller931127/4151: [ 27.088204] #0: (&xt[i].mutex){+.+.}, at: [<00000000e2834500>] xt_find_table_lock+0x3e/0x3e0 [ 27.088208] #1: (&obj_hash[i].lock){-.-.}, at: [<000000001414457a>] debug_check_no_obj_freed+0x1e9/0xf1f [ 27.088213] [ 27.088214] stack backtrace: [ 27.088216] CPU: 1 PID: 4151 Comm: syzkaller931127 Not tainted 4.16.0-rc1+ #223 [ 27.088218] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.088219] Call Trace: [ 27.088220] dump_stack+0x194/0x257 [ 27.088221] ? arch_local_irq_restore+0x53/0x53 [ 27.088223] print_circular_bug.isra.38+0x2cd/0x2dc [ 27.088224] ? save_trace+0xe0/0x2b0 [ 27.088225] __lock_acquire+0x30a8/0x3e00 [ 27.088226] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 27.088228] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 27.088229] ? print_irqtrace_events+0x270/0x270 [ 27.088230] ? __lock_acquire+0x664/0x3e00 [ 27.088231] ? check_noncircular+0x20/0x20 [ 27.088233] ? print_irqtrace_events+0x270/0x270 [ 27.088234] ? __lock_acquire+0x664/0x3e00 [ 27.088235] ? check_usage+0x22f/0xb60 [ 27.088237] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 27.088238] ? check_noncircular+0x20/0x20 [ 27.088239] ? print_irqtrace_events+0x270/0x270 [ 27.088240] lock_acquire+0x1d5/0x580 [ 27.088241] ? lock_acquire+0x1d5/0x580 [ 27.088243] ? down_trylock+0x13/0x70 [ 27.088244] ? lock_release+0xa40/0xa40 [ 27.088245] ? vprintk_emit+0x43b/0xb90 [ 27.088246] ? lock_downgrade+0x980/0x980 [ 27.088247] ? kvm_sched_clock_read+0x25/0x40 [ 27.088248] ? sched_clock+0x31/0x40 [ 27.088250] ? sched_clock_cpu+0x1b/0x180 [ 27.088251] ? vprintk_emit+0x5b5/0xb90 [ 27.088253] _raw_spin_lock_irqsave+0x96/0xc0 [ 27.088254] ? down_trylock+0x13/0x70 [ 27.088255] down_trylock+0x13/0x70 [ 27.088256] ? vprintk_emit+0x5b5/0xb90 [ 27.088258] __down_trylock_console_sem+0xa2/0x1e0 [ 27.088259] console_trylock+0x15/0x70 [ 27.088260] vprintk_emit+0x5b5/0xb90 [ 27.088261] ? console_unlock+0xfb0/0xfb0 [ 27.088262] ? check_noncircular+0x20/0x20 [ 27.088264] ? find_held_lock+0x35/0x1d0 [ 27.088265] ? is_bpf_text_address+0x7b/0x120 [ 27.088266] ? find_held_lock+0x35/0x1d0 [ 27.088268] ? __internal_add_timer+0x2d0/0x2d0 [ 27.088269] vprintk_default+0x28/0x30 [ 27.088270] vprintk_func+0x57/0xc0 [ 27.088271] printk+0xaa/0xca [ 27.088272] ? show_regs_print_info+0x18/0x18 [ 27.088273] ? lock_release+0xa40/0xa40 [ 27.088275] ? __warn_printk+0x84/0xf0 [ 27.088276] ? led_tg_destroy+0x3f0/0x3f0 [ 27.088277] __warn_printk+0x90/0xf0 [ 27.088278] ? test_taint+0x20/0x20 [ 27.088279] ? lock_release+0xa40/0xa40 [ 27.088280] ? depot_save_stack+0x2ca/0x460 [ 27.088282] ? led_tg_destroy+0x3f0/0x3f0 [ 27.088283] debug_print_object+0x166/0x220 [ 27.088284] debug_check_no_obj_freed+0x662/0xf1f [ 27.088285] ? free_obj_work+0x690/0x690 [ 27.088286] ? up_read+0x40/0x40 [ 27.088288] ? wait_for_completion+0x770/0x770 [ 27.088289] ? up_read+0x1a/0x40 [ 27.088290] ? __lock_is_held+0xb6/0x140 [ 27.088291] ? debug_check_no_locks_freed+0x264/0x3c0 [ 27.088292] kfree+0xc7/0x260 [ 27.088294] led_tg_destroy+0x28a/0x3f0 [ 27.088295] ? state_mt+0x100/0x100 [ 27.088296] ? cleanup_match+0x198/0x220 [ 27.088297] ? hmark_tg_v4+0xfa0/0xfa0 [ 27.088298] ? hmark_tg_v4+0xfa0/0xfa0 [ 27.088299] cleanup_entry+0x218/0x350 [ 27.088300] ? cleanup_match+0x220/0x220 [ 27.088302] ? trace_event_raw_event_sched_switch+0x810/0x810 [ 27.088303] ? find_next_bit+0x52/0x100 [ 27.088304] __do_replace+0x79d/0xa50 [ 27.088306] ? compat_table_info+0x470/0x470 [ 27.088307] ? kasan_check_write+0x14/0x20 [ 27.088308] ? _copy_from_user+0x99/0x110 [ 27.088309] do_ipt_set_ctl+0x40f/0x5f0 [ 27.088311] ? translate_compat_table+0x1b90/0x1b90 [ 27.088312] ? mutex_unlock+0xd/0x10 [ 27.088313] ? nf_sockopt_find.constprop.0+0x1a7/0x220 [ 27.088314] nf_setsockopt+0x67/0xc0 [ 27.088315] ip_setsockopt+0x97/0xa0 [ 27.088317] tcp_setsockopt+0x82/0xd0 [ 27.088318] sock_common_setsockopt+0x95/0xd0 [ 27.088319] SyS_setsockopt+0x189/0x360 [ 27.088320] ? SyS_recv+0x40/0x40 [ 27.088321] ? mm_fault_error+0x2c0/0x2c0 [ 27.088323] ? move_addr_to_kernel+0x60/0x60 [ 27.088324] ? do_syscall_64+0xb7/0x940 [ 27.088325] ? SyS_recv+0x40/0x40 [ 27.088326] do_syscall_64+0x282/0x940 [ 27.088327] ? __do_page_fault+0xc90/0xc90 [ 27.088329] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 27.088330] ? syscall_return_slowpath+0x550/0x550 [ 27.088332] ? syscall_return_slowpath+0x2ac/0x550 [ 27.088333] ? prepare_exit_to_usermode+0x350/0x350 [ 27.088334] ? retint_user+0x18/0x18 [ 27.088335] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 27.088337] entry_SYSCALL_64_after_hwframe+0x26/0x9b [ 27.088338] RIP: 0033:0x444aca [ 27.088339] RSP: 002b:00007ffeeaa90e18 EFLAGS: 00000206 ORIG_RAX: 0000000000000036 [ 27.088342] RAX: ffffffffffffffda RBX: 00000000006cf9c0 RCX: 0000000000444aca [ 27.088344] RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003 [ 27.088346] RBP: 00000000006cf9c0 R08: 00000000000002d8 R09: 0000000000004000 [ 27.088347] R10: 00000000006cf960 R11: 0000000000000206 R12: 00007ffeeaa90e40 [ 27.088349] R13: 00000000006d1b80 R14: 0000000000000003 R15: 0000000000000000 [ 27.088757] Dumping ftrace buffer: [ 28.018731] (ftrace buffer empty) [ 28.022421] Kernel Offset: disabled [ 28.026020] Rebooting in 86400 seconds..