[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[ 19.487513] random: sshd: uninitialized urandom read (32 bytes read)
�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
syzkaller login: [ 22.633353] random: sshd: uninitialized urandom read (32 bytes read)
[ 22.943928] random: sshd: uninitialized urandom read (32 bytes read)
[ 23.767427] random: sshd: uninitialized urandom read (32 bytes read)
[ 127.560107] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.49' (ECDSA) to the list of known hosts.
[ 133.042566] random: sshd: uninitialized urandom read (32 bytes read)
[ 133.142334] IPVS: ftp: loaded support on port[0] = 21
[ 139.208321] ==================================================================
[ 139.216729] BUG: KASAN: stack-out-of-bounds in timerqueue_add+0x249/0x2b0
[ 139.223632] Read of size 8 at addr ffff8801af537cf8 by task syz-executor591/7178
[ 139.231136]
[ 139.232743] CPU: 0 PID: 7178 Comm: syz-executor591 Not tainted 4.18.0-rc3+ #130
[ 139.240173] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 139.249502] Call Trace:
[ 139.252060]
[ 139.254189] dump_stack+0x1c9/0x2b4
[ 139.257795] ? dump_stack_print_info.cold.2+0x52/0x52
[ 139.262961] ? printk+0xa7/0xcf
[ 139.266224] ? kmsg_dump_rewind_nolock+0xe4/0xe4
[ 139.270959] ? timerqueue_add+0x249/0x2b0
[ 139.275085] print_address_description+0x6c/0x20b
[ 139.279906] ? timerqueue_add+0x249/0x2b0
[ 139.284036] kasan_report.cold.7+0x242/0x2fe
[ 139.288424] __asan_report_load8_noabort+0x14/0x20
[ 139.293329] timerqueue_add+0x249/0x2b0
[ 139.297281] enqueue_hrtimer+0x18e/0x540
[ 139.301323] ? hrtimer_update_softirq_timer+0xa0/0xa0
[ 139.306504] ? __lock_is_held+0xb5/0x140
[ 139.310545] ? kasan_check_write+0x14/0x20
[ 139.314756] ? do_raw_spin_lock+0xc1/0x200
[ 139.318970] __hrtimer_run_queues+0xc07/0x10c0
[ 139.323532] ? hrtimer_start_range_ns+0xd20/0xd20
[ 139.328358] ? pvclock_read_flags+0x160/0x160
[ 139.332832] ? kvm_clock_read+0x25/0x30
[ 139.336784] ? __sanitizer_cov_trace_cmp4+0x16/0x20
[ 139.341778] ? ktime_get_update_offsets_now+0x3db/0x5d0
[ 139.347118] ? do_timer+0x50/0x50
[ 139.350548] ? rcu_nmi_exit+0xe0/0x2d0
[ 139.354425] ? do_raw_spin_lock+0xc1/0x200
[ 139.358639] hrtimer_interrupt+0x2f3/0x750
[ 139.362854] smp_apic_timer_interrupt+0x165/0x730
[ 139.367684] ? smp_call_function_single_interrupt+0x660/0x660
[ 139.373551] ? _raw_spin_unlock+0x22/0x30
[ 139.377686] ? handle_edge_irq+0x330/0x870
[ 139.381906] ? task_prio+0x50/0x50
[ 139.385429] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 139.390248] apic_timer_interrupt+0xf/0x20
[ 139.394465]
[ 139.396674]
[ 139.398276] The buggy address belongs to the page:
[ 139.403185] page:ffffea0006bd4dc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
[ 139.411304] flags: 0x2fffc0000000000()
[ 139.415172] raw: 02fffc0000000000 0000000000000000 ffffffff06bd0101 0000000000000000
[ 139.423035] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[ 139.430886] page dumped because: kasan: bad access detected
[ 139.436567]
[ 139.438172] Memory state around the buggy address:
[ 139.443085] ffff8801af537b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 139.450419] ffff8801af537c00: 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 f2 f2 f2 f2
[ 139.457754] >ffff8801af537c80: 00 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2
[ 139.465419] ^
[ 139.472683] ffff8801af537d00: f8 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 00 00 00 00
[ 139.480024] ffff8801af537d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 139.487370] ==================================================================
[ 139.494713] Kernel panic - not syncing: panic_on_warn set ...
[ 139.494713]
[ 139.502057] CPU: 0 PID: 7178 Comm: syz-executor591 Tainted: G B 4.18.0-rc3+ #130
[ 139.510865] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 139.520195] Call Trace:
[ 139.522752]
[ 139.524885] dump_stack+0x1c9/0x2b4
[ 139.528492] ? dump_stack_print_info.cold.2+0x52/0x52
[ 139.533663] ? lock_downgrade+0x8f0/0x8f0
[ 139.537788] ? timerqueue_add+0x249/0x2b0
[ 139.541914] panic+0x238/0x4e7
[ 139.545086] ? add_taint.cold.5+0x16/0x16
[ 139.549216] ? print_shadow_for_address+0xba/0x116
[ 139.554122] ? do_raw_spin_unlock+0xa7/0x2f0
[ 139.558510] ? timerqueue_add+0x249/0x2b0
[ 139.562635] kasan_end_report+0x47/0x4f
[ 139.566588] kasan_report.cold.7+0x76/0x2fe
[ 139.570888] __asan_report_load8_noabort+0x14/0x20
[ 139.575806] timerqueue_add+0x249/0x2b0
[ 139.579761] enqueue_hrtimer+0x18e/0x540
[ 139.583798] ? hrtimer_update_softirq_timer+0xa0/0xa0
[ 139.588968] ? __lock_is_held+0xb5/0x140
[ 139.593011] ? kasan_check_write+0x14/0x20
[ 139.597227] ? do_raw_spin_lock+0xc1/0x200
[ 139.601449] __hrtimer_run_queues+0xc07/0x10c0
[ 139.606015] ? hrtimer_start_range_ns+0xd20/0xd20
[ 139.610845] ? pvclock_read_flags+0x160/0x160
[ 139.615320] ? kvm_clock_read+0x25/0x30
[ 139.619278] ? __sanitizer_cov_trace_cmp4+0x16/0x20
[ 139.624279] ? ktime_get_update_offsets_now+0x3db/0x5d0
[ 139.629622] ? do_timer+0x50/0x50
[ 139.633053] ? rcu_nmi_exit+0xe0/0x2d0
[ 139.636919] ? do_raw_spin_lock+0xc1/0x200
[ 139.641134] hrtimer_interrupt+0x2f3/0x750
[ 139.645362] smp_apic_timer_interrupt+0x165/0x730
[ 139.650184] ? smp_call_function_single_interrupt+0x660/0x660
[ 139.656046] ? _raw_spin_unlock+0x22/0x30
[ 139.660172] ? handle_edge_irq+0x330/0x870
[ 139.664385] ? task_prio+0x50/0x50
[ 139.667905] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 139.672730] apic_timer_interrupt+0xf/0x20
[ 139.676940]
[ 139.679154]
[ 139.679157] ======================================================
[ 139.679161] WARNING: possible circular locking dependency detected
[ 139.679163] 4.18.0-rc3+ #130 Not tainted
[ 139.679166] ------------------------------------------------------
[ 139.679169] syz-executor591/7178 is trying to acquire lock:
[ 139.679171] (____ptrval____) ((console_sem).lock){-...}, at: down_trylock+0x13/0x70
[ 139.679179]
[ 139.679182] but task is already holding lock:
[ 139.679183] (____ptrval____) (report_lock){-...}, at: kasan_report+0x8e/0x110
[ 139.679191]
[ 139.679194] which lock already depends on the new lock.
[ 139.679195]
[ 139.679197]
[ 139.679200] the existing dependency chain (in reverse order) is:
[ 139.679201]
[ 139.679202] -> #5 (report_lock){-...}:
[ 139.679210] _raw_spin_lock_irqsave+0x96/0xc0
[ 139.679212] kasan_report+0x8e/0x110
[ 139.679215] __asan_report_load8_noabort+0x14/0x20
[ 139.679217] timerqueue_add+0x249/0x2b0
[ 139.679219] enqueue_hrtimer+0x18e/0x540
[ 139.679222] __hrtimer_run_queues+0xc07/0x10c0
[ 139.679224] hrtimer_interrupt+0x2f3/0x750
[ 139.679227] smp_apic_timer_interrupt+0x165/0x730
[ 139.679229] apic_timer_interrupt+0xf/0x20
[ 139.679230]
[ 139.679232] -> #4 (hrtimer_bases.lock){-.-.}:
[ 139.679240] _raw_spin_lock_irqsave+0x96/0xc0
[ 139.679242] lock_hrtimer_base.isra.18+0x75/0x130
[ 139.679245] hrtimer_start_range_ns+0x128/0xd20
[ 139.679247] enqueue_task_rt+0x96a/0xfd0
[ 139.679249] enqueue_task+0xa2/0x1d0
[ 139.679252] __sched_setscheduler+0xe80/0x20b0
[ 139.679254] _sched_setscheduler+0x20c/0x370
[ 139.679257] sched_setscheduler+0xe/0x10
[ 139.679259] watchdog_enable+0x12d/0x1a0
[ 139.679265] smpboot_thread_fn+0x4c0/0x870
[ 139.679267] kthread+0x345/0x410
[ 139.679269] ret_from_fork+0x3a/0x50
[ 139.679271]
[ 139.679272] -> #3 (&rt_b->rt_runtime_lock){-.-.}:
[ 139.679280] _raw_spin_lock+0x2a/0x40
[ 139.679282] enqueue_task_rt+0x618/0xfd0
[ 139.679284] enqueue_task+0xa2/0x1d0
[ 139.679287] __sched_setscheduler+0xe80/0x20b0
[ 139.679289] _sched_setscheduler+0x20c/0x370
[ 139.679292] sched_setscheduler+0xe/0x10
[ 139.679294] watchdog_enable+0x12d/0x1a0
[ 139.679296] smpboot_thread_fn+0x4c0/0x870
[ 139.679299] kthread+0x345/0x410
[ 139.679301] ret_from_fork+0x3a/0x50
[ 139.679302]
[ 139.679303] -> #2 (&rq->lock){-.-.}:
[ 139.679311] _raw_spin_lock+0x2a/0x40
[ 139.679313] task_fork_fair+0x93/0x680
[ 139.679315] sched_fork+0x446/0xb40
[ 139.679318] copy_process.part.39+0x1c09/0x7220
[ 139.679320] _do_fork+0x291/0x12a0
[ 139.679322] kernel_thread+0x34/0x40
[ 139.679324] rest_init+0x22/0xe4
[ 139.679326] start_kernel+0x90e/0x949
[ 139.679329] x86_64_start_reservations+0x29/0x2b
[ 139.679332] x86_64_start_kernel+0x76/0x79
[ 139.679334] secondary_startup_64+0xa5/0xb0
[ 139.679335]
[ 139.679336] -> #1 (&p->pi_lock){-.-.}:
[ 139.679344] _raw_spin_lock_irqsave+0x96/0xc0
[ 139.679347] try_to_wake_up+0xd2/0x12b0
[ 139.679349] wake_up_process+0x10/0x20
[ 139.679351] __up.isra.1+0x1c0/0x2a0
[ 139.679353] up+0x13c/0x1c0
[ 139.679356] __up_console_sem+0xbe/0x1b0
[ 139.679358] console_unlock+0x7a2/0x10b0
[ 139.679360] vprintk_emit+0x6c6/0xdf0
[ 139.679363] vprintk_default+0x28/0x30
[ 139.679365] vprintk_func+0x7a/0xe7
[ 139.679367] printk+0xa7/0xcf
[ 139.679369] load_umh+0x51/0xbd
[ 139.679371] do_one_initcall+0x127/0x913
[ 139.679374] kernel_init_freeable+0x49b/0x58e
[ 139.679376] kernel_init+0x11/0x1b3
[ 139.679378] ret_from_fork+0x3a/0x50
[ 139.679379]
[ 139.679380] -> #0 ((console_sem).lock){-...}:
[ 139.679389] lock_acquire+0x1e4/0x540
[ 139.679393] _raw_spin_lock_irqsave+0x96/0xc0
[ 139.679396] down_trylock+0x13/0x70
[ 139.679400] __down_trylock_console_sem+0xae/0x200
[ 139.679403] console_trylock+0x15/0xa0
[ 139.679407] vprintk_emit+0x6ad/0xdf0
[ 139.679410] vprintk_default+0x28/0x30
[ 139.679414] vprintk_func+0x7a/0xe7
[ 139.679417] printk+0xa7/0xcf
[ 139.679420] kasan_report+0x9e/0x110
[ 139.679425] __asan_report_load8_noabort+0x14/0x20
[ 139.679428] timerqueue_add+0x249/0x2b0
[ 139.679431] enqueue_hrtimer+0x18e/0x540
[ 139.679433] __hrtimer_run_queues+0xc07/0x10c0
[ 139.679436] hrtimer_interrupt+0x2f3/0x750
[ 139.679438] smp_apic_timer_interrupt+0x165/0x730
[ 139.679440] apic_timer_interrupt+0xf/0x20
[ 139.679442]
[ 139.679444] other info that might help us debug this:
[ 139.679445]
[ 139.679447] Chain exists of:
[ 139.679448] (console_sem).lock --> hrtimer_bases.lock --> report_lock
[ 139.679458]
[ 139.679460] Possible unsafe locking scenario:
[ 139.679462]
[ 139.679464] CPU0 CPU1
[ 139.679466] ---- ----
[ 139.679467] lock(report_lock);
[ 139.679473] lock(hrtimer_bases.lock);
[ 139.679478] lock(report_lock);
[ 139.679482] lock((console_sem).lock);
[ 139.679486]
[ 139.679488] *** DEADLOCK ***
[ 139.679489]
[ 139.679492] 4 locks held by syz-executor591/7178:
[ 139.679493] #0: (____ptrval____) (&sb->s_type->i_mutex_key#11){+.+.}, at: __sock_release+0x8b/0x260
[ 139.679504] #1: (____ptrval____) (rcu_read_lock){....}, at: bpf_tcp_close+0x0/0x1050
[ 139.679513] #2: (____ptrval____) (hrtimer_bases.lock){-.-.}, at: __hrtimer_run_queues+0x43c/0x10c0
[ 139.679523] #3: (____ptrval____) (report_lock){-...}, at: kasan_report+0x8e/0x110
[ 139.679532]
[ 139.679533] stack backtrace:
[ 139.679537] CPU: 0 PID: 7178 Comm: syz-executor591 Not tainted 4.18.0-rc3+ #130
[ 139.679541] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 139.679543] Call Trace:
[ 139.679544]
[ 139.679547] dump_stack+0x1c9/0x2b4
[ 139.679549] ? dump_stack_print_info.cold.2+0x52/0x52
[ 139.679551] ? vprintk_func+0xd0/0xe7
[ 139.679554] print_circular_bug.isra.36.cold.57+0x1bd/0x27d
[ 139.679556] ? save_trace+0xe0/0x290
[ 139.679559] __lock_acquire+0x3449/0x5020
[ 139.679561] ? trace_hardirqs_on+0x10/0x10
[ 139.679563] ? trace_hardirqs_on+0x10/0x10
[ 139.679565] ? unwind_next_frame+0x3e/0x50
[ 139.679568] ? __save_stack_trace+0x7d/0xf0
[ 139.679570] ? add_lock_to_list.isra.29+0x1ec/0x4b0
[ 139.679573] ? trace_hardirqs_off+0x10/0x10
[ 139.679575] ? save_stack_trace+0x1a/0x20
[ 139.679577] ? save_trace+0xe0/0x290
[ 139.679579] ? graph_lock+0x170/0x170
[ 139.679582] ? __lock_acquire+0x28d9/0x5020
[ 139.679584] lock_acquire+0x1e4/0x540
[ 139.679586] ? down_trylock+0x13/0x70
[ 139.679588] ? lock_release+0xa30/0xa30
[ 139.679590] ? lock_downgrade+0x8f0/0x8f0
[ 139.679593] ? kvm_sched_clock_read+0x9/0x20
[ 139.679595] ? sched_clock+0x31/0x40
[ 139.679597] ? vprintk_emit+0x6ad/0xdf0
[ 139.679599] _raw_spin_lock_irqsave+0x96/0xc0
[ 139.679601] ? down_trylock+0x13/0x70
[ 139.679603] down_trylock+0x13/0x70
[ 139.679606] __down_trylock_console_sem+0xae/0x200
[ 139.679608] console_trylock+0x15/0xa0
[ 139.679610] vprintk_emit+0x6ad/0xdf0
[ 139.679613] ? trace_hardirqs_on+0x10/0x10
[ 139.679615] ? wake_up_klogd+0x110/0x110
[ 139.679617] ? graph_lock+0x170/0x170
[ 139.679619] ? rcu_report_qs_rnp+0x7a0/0x7a0
[ 139.679621] ? find_held_lock+0x36/0x1c0
[ 139.679624] ? lock_acquire+0x1e4/0x540
[ 139.679626] ? kasan_report+0x8e/0x110
[ 139.679628] ? timerqueue_add+0x249/0x2b0
[ 139.679630] vprintk_default+0x28/0x30
[ 139.679632] vprintk_func+0x7a/0xe7
[ 139.679634] printk+0xa7/0xcf
[ 139.679637] ? kmsg_dump_rewind_nolock+0xe4/0xe4
[ 139.679639] ? kasan_check_write+0x14/0x20
[ 139.679641] ? do_raw_spin_lock+0xc1/0x200
[ 139.679643] ? do_raw_spin_lock+0xc1/0x200
[ 139.679645] kasan_report+0x9e/0x110
[ 139.679648] __asan_report_load8_noabort+0x14/0x20
[ 139.679650] timerqueue_add+0x249/0x2b0
[ 139.679652] enqueue_hrtimer+0x18e/0x540
[ 139.679655] ? hrtimer_update_softirq_timer+0xa0/0xa0
[ 139.679657] ? __lock_is_held+0xb5/0x140
[ 139.679660] ? kasan_check_write+0x14/0x20
[ 139.679662] ? do_raw_spin_lock+0xc1/0x200
[ 139.679664] __hrtimer_run_queues+0xc07/0x10c0
[ 139.679667] ? hrtimer_start_range_ns+0xd20/0xd20
[ 139.679669] ? pvclock_read_flags+0x160/0x160
[ 139.679671] ? kvm_clock_read+0x25/0x30
[ 139.679674] ? __sanitizer_cov_trace_cmp4+0x16/0x20
[ 139.679677] ? ktime_get_update_offsets_now+0x3db/0x5d0
[ 139.679679] ? do_timer+0x50/0x50
[ 139.679681] ? rcu_nmi_exit+0xe0/0x2d0
[ 139.679683] ? do_raw_spin_lock+0xc1/0x200
[ 139.679686] hrtimer_interrupt+0x2f3/0x750
[ 139.679688] smp_apic_timer_interrupt+0x165/0x730
[ 139.679691] ? smp_call_function_single_interrupt+0x660/0x660
[ 139.679693] ? _raw_spin_unlock+0x22/0x30
[ 139.679695] ? handle_edge_irq+0x330/0x870
[ 139.679698] ? task_prio+0x50/0x50
[ 139.679700] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 139.679702] apic_timer_interrupt+0xf/0x20
[ 139.679704]
[ 139.680190] Dumping ftrace buffer:
[ 140.545979] (ftrace buffer empty)
[ 140.549664] Kernel Offset: disabled
[ 140.553268] Rebooting in 86400 seconds..