[ 39.914254] audit: type=1800 audit(1577383114.568:30): pid=7582 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2490 res=0 Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 45.827547] kauditd_printk_skb: 4 callbacks suppressed [ 45.827563] audit: type=1400 audit(1577383120.498:35): avc: denied { map } for pid=7757 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.1.19' (ECDSA) to the list of known hosts. executing program [ 56.804344] audit: type=1400 audit(1577383131.478:36): avc: denied { map } for pid=7769 comm="syz-executor625" path="/root/syz-executor625627215" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 61.816023] ------------[ cut here ]------------ [ 61.821932] ODEBUG: free active (active state 0) object type: timer_list hint: rfcomm_dlc_timeout+0x0/0x80 [ 61.831999] WARNING: CPU: 0 PID: 7772 at lib/debugobjects.c:325 debug_print_object+0x168/0x250 [ 61.840752] Kernel panic - not syncing: panic_on_warn set ... [ 61.840752] [ 61.848111] CPU: 0 PID: 7772 Comm: syz-executor625 Not tainted 4.19.91-syzkaller #0 [ 61.855903] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.865258] Call Trace: [ 61.867837] dump_stack+0x197/0x210 [ 61.871566] panic+0x26a/0x50e [ 61.874752] ? __warn_printk+0xf3/0xf3 [ 61.878627] ? debug_print_object+0x168/0x250 [ 61.883108] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 61.888656] ? __warn.cold+0x5/0x53 [ 61.892265] ? __warn+0xe8/0x1d0 [ 61.895628] ? debug_print_object+0x168/0x250 [ 61.900105] __warn.cold+0x20/0x53 [ 61.903639] ? trace_hardirqs_off+0x62/0x220 [ 61.908132] ? debug_print_object+0x168/0x250 [ 61.912634] report_bug+0x263/0x2b0 [ 61.916261] do_error_trap+0x204/0x360 [ 61.920135] ? math_error+0x340/0x340 [ 61.923919] ? wake_up_klogd+0x99/0xd0 [ 61.927794] ? vprintk_emit+0x1ce/0x6d0 [ 61.931770] ? error_entry+0x7c/0xe0 [ 61.935474] ? trace_hardirqs_off_caller+0x65/0x220 [ 61.940479] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 61.945311] do_invalid_op+0x1b/0x20 [ 61.949024] invalid_op+0x14/0x20 [ 61.952473] RIP: 0010:debug_print_object+0x168/0x250 [ 61.957573] Code: dd e0 63 ea 87 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 b5 00 00 00 48 8b 14 dd e0 63 ea 87 48 c7 c7 20 59 ea 87 e8 a6 46 dc fd <0f> 0b 83 05 ab 96 6a 06 01 48 83 c4 20 5b 41 5c 41 5d 41 5e 5d c3 [ 61.976485] RSP: 0018:ffff8880859978b8 EFLAGS: 00010082 [ 61.981833] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000 [ 61.989098] RDX: 0000000000000000 RSI: ffffffff8155bb16 RDI: ffffed1010b32f09 [ 61.996364] RBP: ffff8880859978f8 R08: ffff888088aca700 R09: ffffed1015d03ee3 [ 62.003630] R10: ffffed1015d03ee2 R11: ffff8880ae81f717 R12: 0000000000000001 [ 62.010901] R13: ffffffff88fa43a0 R14: ffffffff815b30d0 R15: ffff88809b8efb28 [ 62.018196] ? __internal_add_timer+0x1f0/0x1f0 [ 62.022857] ? vprintk_func+0x86/0x189 [ 62.026751] ? debug_print_object+0x168/0x250 [ 62.031231] debug_check_no_obj_freed+0x29f/0x464 [ 62.036060] kfree+0xbd/0x220 [ 62.039161] rfcomm_dlc_free+0x20/0x30 [ 62.043033] rfcomm_dev_ioctl+0x1988/0x1c90 [ 62.047338] ? mark_held_locks+0xb1/0x100 [ 62.051485] ? lock_sock_nested+0xe2/0x120 [ 62.055717] ? rfcomm_tty_install+0x1a0/0x1a0 [ 62.060206] ? lock_sock_nested+0x9a/0x120 [ 62.064441] ? trace_hardirqs_on+0x67/0x220 [ 62.068763] ? __local_bh_enable_ip+0x15a/0x270 [ 62.073471] rfcomm_sock_ioctl+0x90/0xb0 [ 62.077528] sock_do_ioctl+0xd8/0x2f0 [ 62.081326] ? compat_ifr_data_ioctl+0x160/0x160 [ 62.086123] ? __lock_acquire+0x6ee/0x49c0 [ 62.090350] ? rcu_read_lock_sched_held+0x110/0x130 [ 62.096658] ? kmem_cache_alloc+0x32a/0x700 [ 62.100973] sock_ioctl+0x325/0x610 [ 62.104626] ? dlci_ioctl_set+0x40/0x40 [ 62.108602] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 62.114129] ? __might_sleep+0x95/0x190 [ 62.118095] ? find_held_lock+0x35/0x130 [ 62.122161] ? dlci_ioctl_set+0x40/0x40 [ 62.126126] do_vfs_ioctl+0xd5f/0x1380 [ 62.130015] ? selinux_file_ioctl+0x46f/0x5e0 [ 62.134504] ? selinux_file_ioctl+0x125/0x5e0 [ 62.138996] ? ioctl_preallocate+0x210/0x210 [ 62.143390] ? selinux_file_mprotect+0x620/0x620 [ 62.148148] ? __sanitizer_cov_trace_cmp1+0xb/0x20 [ 62.153161] ? __fd_install+0x200/0x640 [ 62.157127] ? fd_install+0x4d/0x60 [ 62.160746] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 62.166289] ? security_file_ioctl+0x8d/0xc0 [ 62.170693] ksys_ioctl+0xab/0xd0 [ 62.174146] __x64_sys_ioctl+0x73/0xb0 [ 62.178046] do_syscall_64+0xfd/0x620 [ 62.181849] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 62.187028] RIP: 0033:0x4412b9 [ 62.190219] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 62.209108] RSP: 002b:00007ffc2f8ef518 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 62.216808] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004412b9 [ 62.224065] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000004 [ 62.231336] RBP: 000000000000f15e R08: 00000000004002c8 R09: 00000000004002c8 [ 62.238606] R10: 00000000004002c8 R11: 0000000000000246 R12: 00000000004020e0 [ 62.245862] R13: 0000000000402170 R14: 0000000000000000 R15: 0000000000000000 [ 62.253138] [ 62.253142] ====================================================== [ 62.253145] WARNING: possible circular locking dependency detected [ 62.253147] 4.19.91-syzkaller #0 Not tainted [ 62.253151] ------------------------------------------------------ [ 62.253154] syz-executor625/7772 is trying to acquire lock: [ 62.253156] 000000009acd65e2 ((console_sem).lock){-...}, at: down_trylock+0x13/0x70 [ 62.253165] [ 62.253167] but task is already holding lock: [ 62.253169] 00000000758dfe93 (&obj_hash[i].lock){-.-.}, at: debug_check_no_obj_freed+0xbe/0x464 [ 62.253178] [ 62.253181] which lock already depends on the new lock. [ 62.253182] [ 62.253184] [ 62.253187] the existing dependency chain (in reverse order) is: [ 62.253188] [ 62.253189] -> #5 (&obj_hash[i].lock){-.-.}: [ 62.253198] _raw_spin_lock_irqsave+0x95/0xcd [ 62.253200] debug_object_activate+0x131/0x4e0 [ 62.253203] enqueue_hrtimer+0x2a/0x3f0 [ 62.253205] hrtimer_start_range_ns+0x603/0xc70 [ 62.253208] schedule_hrtimeout_range_clock+0x1a0/0x380 [ 62.253211] schedule_hrtimeout+0x25/0x30 [ 62.253213] wait_task_inactive+0x4a2/0x630 [ 62.253216] __kthread_bind_mask+0x24/0xb0 [ 62.253218] kthread_bind_mask+0x23/0x30 [ 62.253221] init_rescuer.part.0+0xfc/0x190 [ 62.253223] workqueue_init+0x51a/0x808 [ 62.253226] kernel_init_freeable+0x2c0/0x5c8 [ 62.253228] kernel_init+0x12/0x1c2 [ 62.253230] ret_from_fork+0x24/0x30 [ 62.253231] [ 62.253233] -> #4 (hrtimer_bases.lock){-.-.}: [ 62.253241] _raw_spin_lock_irqsave+0x95/0xcd [ 62.253244] lock_hrtimer_base.isra.0+0x75/0x130 [ 62.253246] hrtimer_start_range_ns+0xff/0xc70 [ 62.253249] enqueue_task_rt+0x998/0xe70 [ 62.253252] __sched_setscheduler+0xd93/0x1ed0 [ 62.253254] _sched_setscheduler+0x10a/0x1b0 [ 62.253256] sched_setscheduler+0xe/0x10 [ 62.253259] watchdog_dev_init+0xe0/0x1b2 [ 62.253261] watchdog_init+0x17/0x181 [ 62.253268] do_one_initcall+0x107/0x78c [ 62.253270] kernel_init_freeable+0x4d4/0x5c8 [ 62.253273] kernel_init+0x12/0x1c2 [ 62.253275] ret_from_fork+0x24/0x30 [ 62.253276] [ 62.253278] -> #3 (&rt_b->rt_runtime_lock){-...}: [ 62.253286] _raw_spin_lock+0x2f/0x40 [ 62.253288] rq_online_rt+0xb4/0x390 [ 62.253290] set_rq_online.part.0+0xe4/0x140 [ 62.253293] sched_cpu_activate+0x17f/0x270 [ 62.253296] cpuhp_invoke_callback+0x201/0x1af0 [ 62.253298] cpuhp_thread_fun+0x453/0x850 [ 62.253300] smpboot_thread_fn+0x6a3/0xa30 [ 62.253303] kthread+0x354/0x420 [ 62.253305] ret_from_fork+0x24/0x30 [ 62.253306] [ 62.253307] -> #2 (&rq->lock){-.-.}: [ 62.253315] _raw_spin_lock+0x2f/0x40 [ 62.253318] task_fork_fair+0x6a/0x520 [ 62.253320] sched_fork+0x3af/0x900 [ 62.253323] copy_process.part.0+0x1859/0x7a30 [ 62.253325] _do_fork+0x257/0xfd0 [ 62.253327] kernel_thread+0x34/0x40 [ 62.253329] rest_init+0x24/0x222 [ 62.253332] start_kernel+0x88c/0x8c5 [ 62.253335] x86_64_start_reservations+0x29/0x2b [ 62.253337] x86_64_start_kernel+0x77/0x7b [ 62.253340] secondary_startup_64+0xa4/0xb0 [ 62.253341] [ 62.253342] -> #1 (&p->pi_lock){-.-.}: [ 62.253350] _raw_spin_lock_irqsave+0x95/0xcd [ 62.253352] try_to_wake_up+0x94/0xf50 [ 62.253355] wake_up_process+0x10/0x20 [ 62.253357] __up.isra.0+0x136/0x1a0 [ 62.253359] up+0x9c/0xe0 [ 62.253361] __up_console_sem+0xb7/0x1c0 [ 62.253364] console_unlock+0x6c7/0x10d0 [ 62.253366] vprintk_emit+0x280/0x6d0 [ 62.253368] vprintk_default+0x28/0x30 [ 62.253371] vprintk_func+0x7e/0x189 [ 62.253373] printk+0xba/0xed [ 62.253375] kauditd_hold_skb.cold+0x3f/0x4e [ 62.253378] kauditd_send_queue+0x12d/0x170 [ 62.253380] kauditd_thread+0x71c/0xa50 [ 62.253382] kthread+0x354/0x420 [ 62.253384] ret_from_fork+0x24/0x30 [ 62.253386] [ 62.253387] -> #0 ((console_sem).lock){-...}: [ 62.253395] lock_acquire+0x16f/0x3f0 [ 62.253398] _raw_spin_lock_irqsave+0x95/0xcd [ 62.253400] down_trylock+0x13/0x70 [ 62.253403] __down_trylock_console_sem+0xa8/0x210 [ 62.253405] console_trylock+0x15/0xa0 [ 62.253407] vprintk_emit+0x267/0x6d0 [ 62.253410] vprintk_default+0x28/0x30 [ 62.253412] vprintk_func+0x7e/0x189 [ 62.253414] printk+0xba/0xed [ 62.253416] __warn_printk+0x9b/0xf3 [ 62.253419] debug_print_object+0x168/0x250 [ 62.253421] debug_check_no_obj_freed+0x29f/0x464 [ 62.253423] kfree+0xbd/0x220 [ 62.253426] rfcomm_dlc_free+0x20/0x30 [ 62.253428] rfcomm_dev_ioctl+0x1988/0x1c90 [ 62.253430] rfcomm_sock_ioctl+0x90/0xb0 [ 62.253433] sock_do_ioctl+0xd8/0x2f0 [ 62.253435] sock_ioctl+0x325/0x610 [ 62.253437] do_vfs_ioctl+0xd5f/0x1380 [ 62.253439] ksys_ioctl+0xab/0xd0 [ 62.253442] __x64_sys_ioctl+0x73/0xb0 [ 62.253444] do_syscall_64+0xfd/0x620 [ 62.253447] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 62.253448] [ 62.253451] other info that might help us debug this: [ 62.253452] [ 62.253454] Chain exists of: [ 62.253455] (console_sem).lock --> hrtimer_bases.lock --> &obj_hash[i].lock [ 62.253465] [ 62.253468] Possible unsafe locking scenario: [ 62.253469] [ 62.253472] CPU0 CPU1 [ 62.253474] ---- ---- [ 62.253475] lock(&obj_hash[i].lock); [ 62.253481] lock(hrtimer_bases.lock); [ 62.253486] lock(&obj_hash[i].lock); [ 62.253491] lock((console_sem).lock); [ 62.253495] [ 62.253497] *** DEADLOCK *** [ 62.253498] [ 62.253501] 3 locks held by syz-executor625/7772: [ 62.253502] #0: 00000000af974aef (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}, at: rfcomm_sock_ioctl+0x82/0xb0 [ 62.253513] #1: 00000000607c777c (rfcomm_ioctl_mutex){+.+.}, at: rfcomm_dev_ioctl+0x923/0x1c90 [ 62.253522] #2: 00000000758dfe93 (&obj_hash[i].lock){-.-.}, at: debug_check_no_obj_freed+0xbe/0x464 [ 62.253532] [ 62.253534] stack backtrace: [ 62.253538] CPU: 0 PID: 7772 Comm: syz-executor625 Not tainted 4.19.91-syzkaller #0 [ 62.253543] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.253544] Call Trace: [ 62.253547] dump_stack+0x197/0x210 [ 62.253550] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 62.253552] __lock_acquire+0x2e19/0x49c0 [ 62.253554] ? mark_held_locks+0x100/0x100 [ 62.253557] ? kvm_clock_read+0x18/0x30 [ 62.253559] ? kvm_sched_clock_read+0x9/0x20 [ 62.253562] lock_acquire+0x16f/0x3f0 [ 62.253566] ? down_trylock+0x13/0x70 [ 62.253570] _raw_spin_lock_irqsave+0x95/0xcd [ 62.253574] ? down_trylock+0x13/0x70 [ 62.253578] ? vprintk_emit+0x267/0x6d0 [ 62.253581] down_trylock+0x13/0x70 [ 62.253585] ? vprintk_emit+0x267/0x6d0 [ 62.253590] __down_trylock_console_sem+0xa8/0x210 [ 62.253595] console_trylock+0x15/0xa0 [ 62.253599] vprintk_emit+0x267/0x6d0 [ 62.253604] ? __internal_add_timer+0x1f0/0x1f0 [ 62.253608] vprintk_default+0x28/0x30 [ 62.253612] vprintk_func+0x7e/0x189 [ 62.253615] printk+0xba/0xed [ 62.253620] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 62.253624] ? __warn_printk+0x8f/0xf3 [ 62.253626] ? rfcomm_dlc_link+0x170/0x170 [ 62.253629] __warn_printk+0x9b/0xf3 [ 62.253631] ? add_taint.cold+0x16/0x16 [ 62.253633] ? skb_dequeue+0x12e/0x180 [ 62.253636] ? rfcomm_dlc_link+0x170/0x170 [ 62.253638] debug_print_object+0x168/0x250 [ 62.253641] debug_check_no_obj_freed+0x29f/0x464 [ 62.253643] kfree+0xbd/0x220 [ 62.253645] rfcomm_dlc_free+0x20/0x30 [ 62.253647] rfcomm_dev_ioctl+0x1988/0x1c90 [ 62.253650] ? mark_held_locks+0xb1/0x100 [ 62.253652] ? lock_sock_nested+0xe2/0x120 [ 62.253655] ? rfcomm_tty_install+0x1a0/0x1a0 [ 62.253657] ? lock_sock_nested+0x9a/0x120 [ 62.253660] ? trace_hardirqs_on+0x67/0x220 [ 62.253662] ? __local_bh_enable_ip+0x15a/0x270 [ 62.253665] rfcomm_sock_ioctl+0x90/0xb0 [ 62.253667] sock_do_ioctl+0xd8/0x2f0 [ 62.253670] ? compat_ifr_data_ioctl+0x160/0x160 [ 62.253672] ? __lock_acquire+0x6ee/0x49c0 [ 62.253675] ? rcu_read_lock_sched_held+0x110/0x130 [ 62.253678] ? kmem_cache_alloc+0x32a/0x700 [ 62.253680] sock_ioctl+0x325/0x610 [ 62.253682] ? dlci_ioctl_set+0x40/0x40 [ 62.253685] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 62.253687] ? __might_sleep+0x95/0x190 [ 62.253690] ? find_held_lock+0x35/0x130 [ 62.253692] ? dlci_ioctl_set+0x40/0x40 [ 62.253694] do_vfs_ioctl+0xd5f/0x1380 [ 62.253697] ? selinux_file_ioctl+0x46f/0x5e0 [ 62.253699] ? selinux_file_ioctl+0x125/0x5e0 [ 62.253702] ? ioctl_preallocate+0x210/0x210 [ 62.253705] ? selinux_file_mprotect+0x620/0x620 [ 62.253707] ? __sanitizer_cov_trace_cmp1+0xb/0x20 [ 62.253710] ? __fd_install+0x200/0x640 [ 62.253712] ? fd_install+0x4d/0x60 [ 62.253715] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 62.253718] ? security_file_ioctl+0x8d/0xc0 [ 62.253720] ksys_ioctl+0xab/0xd0 [ 62.253722] __x64_sys_ioctl+0x73/0xb0 [ 62.253724] do_syscall_64+0xfd/0x620 [ 62.253727] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 62.253729] RIP: 0033:0x4412b9 [ 62.253738] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 62.253741] RSP: 002b:00007ffc2f8ef518 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 62.253747] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004412b9 [ 62.253751] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000004 [ 62.253754] RBP: 000000000000f15e R08: 00000000004002c8 R09: 00000000004002c8 [ 62.253758] R10: 00000000004002c8 R11: 0000000000000246 R12: 00000000004020e0 [ 62.253762] R13: 0000000000402170 R14: 0000000000000000 R15: 0000000000000000 [ 62.255313] Kernel Offset: disabled [ 63.213307] Rebooting in 86400 seconds..