[ 45.599641] audit: type=1800 audit(1577506368.947:30): pid=7745 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2490 res=0 Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 49.744245] kauditd_printk_skb: 4 callbacks suppressed [ 49.744261] audit: type=1400 audit(1577506373.127:35): avc: denied { map } for pid=7918 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.69' (ECDSA) to the list of known hosts. executing program [ 56.483671] audit: type=1400 audit(1577506379.867:36): avc: denied { map } for pid=7930 comm="syz-executor381" path="/root/syz-executor381553478" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 61.495852] ------------[ cut here ]------------ [ 61.501798] ODEBUG: free active (active state 0) object type: timer_list hint: rfcomm_dlc_timeout+0x0/0x80 [ 61.511818] WARNING: CPU: 0 PID: 7933 at lib/debugobjects.c:325 debug_print_object+0x168/0x250 [ 61.520647] Kernel panic - not syncing: panic_on_warn set ... [ 61.520647] [ 61.528030] CPU: 0 PID: 7933 Comm: syz-executor381 Not tainted 4.19.91-syzkaller #0 [ 61.535839] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.545181] Call Trace: [ 61.547763] dump_stack+0x197/0x210 [ 61.551381] panic+0x26a/0x50e [ 61.554561] ? __warn_printk+0xf3/0xf3 [ 61.558440] ? debug_print_object+0x168/0x250 [ 61.562939] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 61.568468] ? __warn.cold+0x5/0x53 [ 61.572083] ? __warn+0xe8/0x1d0 [ 61.575453] ? debug_print_object+0x168/0x250 [ 61.580212] __warn.cold+0x20/0x53 [ 61.584256] ? trace_hardirqs_off+0x62/0x220 [ 61.588910] ? debug_print_object+0x168/0x250 [ 61.593429] report_bug+0x263/0x2b0 [ 61.597053] do_error_trap+0x204/0x360 [ 61.600981] ? math_error+0x340/0x340 [ 61.605427] ? wake_up_klogd+0x99/0xd0 [ 61.609498] ? vprintk_emit+0x1ce/0x6d0 [ 61.613466] ? error_entry+0x7c/0xe0 [ 61.617197] ? trace_hardirqs_off_caller+0x65/0x220 [ 61.622212] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 61.627048] do_invalid_op+0x1b/0x20 [ 61.630761] invalid_op+0x14/0x20 [ 61.634206] RIP: 0010:debug_print_object+0x168/0x250 [ 61.639475] Code: dd e0 63 ea 87 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 b5 00 00 00 48 8b 14 dd e0 63 ea 87 48 c7 c7 20 59 ea 87 e8 a6 46 dc fd <0f> 0b 83 05 ab 96 6a 06 01 48 83 c4 20 5b 41 5c 41 5d 41 5e 5d c3 [ 61.658732] RSP: 0018:ffff888092c1f8b8 EFLAGS: 00010082 [ 61.664088] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000 [ 61.671346] RDX: 0000000000000000 RSI: ffffffff8155bb16 RDI: ffffed1012583f09 [ 61.679821] RBP: ffff888092c1f8f8 R08: ffff888083d1a3c0 R09: ffffed1015d03ee3 [ 61.687094] R10: ffffed1015d03ee2 R11: ffff8880ae81f717 R12: 0000000000000001 [ 61.694361] R13: ffffffff88fa43a0 R14: ffffffff815b30d0 R15: ffff888099131aa8 [ 61.701658] ? __internal_add_timer+0x1f0/0x1f0 [ 61.706334] ? vprintk_func+0x86/0x189 [ 61.710233] ? debug_print_object+0x168/0x250 [ 61.714742] debug_check_no_obj_freed+0x29f/0x464 [ 61.719738] kfree+0xbd/0x220 [ 61.722849] rfcomm_dlc_free+0x20/0x30 [ 61.726901] rfcomm_dev_ioctl+0x1988/0x1c90 [ 61.731344] ? mark_held_locks+0xb1/0x100 [ 61.735518] ? lock_sock_nested+0xe2/0x120 [ 61.739966] ? rfcomm_tty_install+0x1a0/0x1a0 [ 61.744470] ? lock_sock_nested+0x9a/0x120 [ 61.748707] ? trace_hardirqs_on+0x67/0x220 [ 61.753038] ? __local_bh_enable_ip+0x15a/0x270 [ 61.757701] rfcomm_sock_ioctl+0x90/0xb0 [ 61.761756] sock_do_ioctl+0xd8/0x2f0 [ 61.765546] ? compat_ifr_data_ioctl+0x160/0x160 [ 61.770365] ? __lock_acquire+0x6ee/0x49c0 [ 61.774606] ? rcu_read_lock_sched_held+0x110/0x130 [ 61.779630] ? kmem_cache_alloc+0x32a/0x700 [ 61.784009] sock_ioctl+0x325/0x610 [ 61.787764] ? dlci_ioctl_set+0x40/0x40 [ 61.791736] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 61.797312] ? __might_sleep+0x95/0x190 [ 61.801396] ? find_held_lock+0x35/0x130 [ 61.805479] ? dlci_ioctl_set+0x40/0x40 [ 61.809466] do_vfs_ioctl+0xd5f/0x1380 [ 61.813630] ? selinux_file_ioctl+0x46f/0x5e0 [ 61.818590] ? selinux_file_ioctl+0x125/0x5e0 [ 61.823099] ? ioctl_preallocate+0x210/0x210 [ 61.827524] ? selinux_file_mprotect+0x620/0x620 [ 61.832293] ? __sanitizer_cov_trace_cmp1+0xb/0x20 [ 61.837409] ? __fd_install+0x200/0x640 [ 61.841396] ? fd_install+0x4d/0x60 [ 61.845176] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 61.851240] ? security_file_ioctl+0x8d/0xc0 [ 61.855664] ksys_ioctl+0xab/0xd0 [ 61.859125] __x64_sys_ioctl+0x73/0xb0 [ 61.863035] do_syscall_64+0xfd/0x620 [ 61.866856] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 61.872169] RIP: 0033:0x4412b9 [ 61.875404] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 61.894616] RSP: 002b:00007fff9e19a6a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 61.902808] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004412b9 [ 61.910331] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000004 [ 61.917741] RBP: 000000000000f003 R08: 00000000004002c8 R09: 00000000004002c8 [ 61.926332] R10: 00000000004002c8 R11: 0000000000000246 R12: 00000000004020e0 [ 61.934487] R13: 0000000000402170 R14: 0000000000000000 R15: 0000000000000000 [ 61.941854] [ 61.941858] ====================================================== [ 61.941861] WARNING: possible circular locking dependency detected [ 61.941864] 4.19.91-syzkaller #0 Not tainted [ 61.941867] ------------------------------------------------------ [ 61.941870] syz-executor381/7933 is trying to acquire lock: [ 61.941872] 00000000fab81f98 ((console_sem).lock){-...}, at: down_trylock+0x13/0x70 [ 61.941881] [ 61.941884] but task is already holding lock: [ 61.941885] 000000005cc73143 (&obj_hash[i].lock){-.-.}, at: debug_check_no_obj_freed+0xbe/0x464 [ 61.941894] [ 61.941897] which lock already depends on the new lock. [ 61.941898] [ 61.941899] [ 61.941902] the existing dependency chain (in reverse order) is: [ 61.941904] [ 61.941905] -> #5 (&obj_hash[i].lock){-.-.}: [ 61.941914] _raw_spin_lock_irqsave+0x95/0xcd [ 61.941916] debug_object_activate+0x131/0x4e0 [ 61.941919] enqueue_hrtimer+0x2a/0x3f0 [ 61.941922] hrtimer_start_range_ns+0x603/0xc70 [ 61.941924] schedule_hrtimeout_range_clock+0x1a0/0x380 [ 61.941927] schedule_hrtimeout+0x25/0x30 [ 61.941929] wait_task_inactive+0x4a2/0x630 [ 61.941932] __kthread_bind_mask+0x24/0xb0 [ 61.941934] kthread_bind_mask+0x23/0x30 [ 61.941937] init_rescuer.part.0+0xfc/0x190 [ 61.941939] workqueue_init+0x51a/0x808 [ 61.941942] kernel_init_freeable+0x2c0/0x5c8 [ 61.941944] kernel_init+0x12/0x1c2 [ 61.941946] ret_from_fork+0x24/0x30 [ 61.941947] [ 61.941949] -> #4 (hrtimer_bases.lock){-.-.}: [ 61.941957] _raw_spin_lock_irqsave+0x95/0xcd [ 61.941960] lock_hrtimer_base.isra.0+0x75/0x130 [ 61.941962] hrtimer_start_range_ns+0xff/0xc70 [ 61.941965] enqueue_task_rt+0x998/0xe70 [ 61.941967] __sched_setscheduler+0xd93/0x1ed0 [ 61.941970] _sched_setscheduler+0x10a/0x1b0 [ 61.941972] sched_setscheduler+0xe/0x10 [ 61.941975] watchdog_dev_init+0xe0/0x1b2 [ 61.941977] watchdog_init+0x17/0x181 [ 61.941980] do_one_initcall+0x107/0x78c [ 61.941982] kernel_init_freeable+0x4d4/0x5c8 [ 61.941984] kernel_init+0x12/0x1c2 [ 61.941987] ret_from_fork+0x24/0x30 [ 61.941988] [ 61.941989] -> #3 (&rt_b->rt_runtime_lock){-...}: [ 61.941997] _raw_spin_lock+0x2f/0x40 [ 61.941999] rq_online_rt+0xb4/0x390 [ 61.942002] set_rq_online.part.0+0xe4/0x140 [ 61.942004] sched_cpu_activate+0x17f/0x270 [ 61.942007] cpuhp_invoke_callback+0x201/0x1af0 [ 61.942009] cpuhp_thread_fun+0x453/0x850 [ 61.942012] smpboot_thread_fn+0x6a3/0xa30 [ 61.942014] kthread+0x354/0x420 [ 61.942016] ret_from_fork+0x24/0x30 [ 61.942018] [ 61.942019] -> #2 (&rq->lock){-.-.}: [ 61.942027] _raw_spin_lock+0x2f/0x40 [ 61.942029] task_fork_fair+0x6a/0x520 [ 61.942031] sched_fork+0x3af/0x900 [ 61.942034] copy_process.part.0+0x1859/0x7a30 [ 61.942036] _do_fork+0x257/0xfd0 [ 61.942038] kernel_thread+0x34/0x40 [ 61.942041] rest_init+0x24/0x222 [ 61.942043] start_kernel+0x88c/0x8c5 [ 61.942046] x86_64_start_reservations+0x29/0x2b [ 61.942048] x86_64_start_kernel+0x77/0x7b [ 61.942051] secondary_startup_64+0xa4/0xb0 [ 61.942052] [ 61.942054] -> #1 (&p->pi_lock){-.-.}: [ 61.942062] _raw_spin_lock_irqsave+0x95/0xcd [ 61.942066] try_to_wake_up+0x94/0xf50 [ 61.942069] wake_up_process+0x10/0x20 [ 61.942074] __up.isra.0+0x136/0x1a0 [ 61.942077] up+0x9c/0xe0 [ 61.942081] __up_console_sem+0xb7/0x1c0 [ 61.942085] console_unlock+0x6c7/0x10d0 [ 61.942089] vprintk_emit+0x280/0x6d0 [ 61.942092] vprintk_default+0x28/0x30 [ 61.942096] vprintk_func+0x7e/0x189 [ 61.942100] printk+0xba/0xed [ 61.942104] regdb_fw_cb.cold+0x18/0x9c [ 61.942109] request_firmware_work_func+0x137/0x280 [ 61.942113] process_one_work+0x989/0x1750 [ 61.942117] worker_thread+0x98/0xe40 [ 61.942121] kthread+0x354/0x420 [ 61.942125] ret_from_fork+0x24/0x30 [ 61.942127] [ 61.942129] -> #0 ((console_sem).lock){-...}: [ 61.942138] lock_acquire+0x16f/0x3f0 [ 61.942141] _raw_spin_lock_irqsave+0x95/0xcd [ 61.942143] down_trylock+0x13/0x70 [ 61.942146] __down_trylock_console_sem+0xa8/0x210 [ 61.942148] console_trylock+0x15/0xa0 [ 61.942151] vprintk_emit+0x267/0x6d0 [ 61.942153] vprintk_default+0x28/0x30 [ 61.942155] vprintk_func+0x7e/0x189 [ 61.942157] printk+0xba/0xed [ 61.942160] __warn_printk+0x9b/0xf3 [ 61.942162] debug_print_object+0x168/0x250 [ 61.942165] debug_check_no_obj_freed+0x29f/0x464 [ 61.942167] kfree+0xbd/0x220 [ 61.942169] rfcomm_dlc_free+0x20/0x30 [ 61.942172] rfcomm_dev_ioctl+0x1988/0x1c90 [ 61.942174] rfcomm_sock_ioctl+0x90/0xb0 [ 61.942176] sock_do_ioctl+0xd8/0x2f0 [ 61.942179] sock_ioctl+0x325/0x610 [ 61.942181] do_vfs_ioctl+0xd5f/0x1380 [ 61.942183] ksys_ioctl+0xab/0xd0 [ 61.942185] __x64_sys_ioctl+0x73/0xb0 [ 61.942188] do_syscall_64+0xfd/0x620 [ 61.942191] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 61.942192] [ 61.942195] other info that might help us debug this: [ 61.942196] [ 61.942197] Chain exists of: [ 61.942199] (console_sem).lock --> hrtimer_bases.lock --> &obj_hash[i].lock [ 61.942209] [ 61.942211] Possible unsafe locking scenario: [ 61.942213] [ 61.942215] CPU0 CPU1 [ 61.942218] ---- ---- [ 61.942219] lock(&obj_hash[i].lock); [ 61.942224] lock(hrtimer_bases.lock); [ 61.942230] lock(&obj_hash[i].lock); [ 61.942235] lock((console_sem).lock); [ 61.942239] [ 61.942241] *** DEADLOCK *** [ 61.942242] [ 61.942244] 3 locks held by syz-executor381/7933: [ 61.942246] #0: 00000000fdd10d6b (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}, at: rfcomm_sock_ioctl+0x82/0xb0 [ 61.942256] #1: 0000000063e75eb9 (rfcomm_ioctl_mutex){+.+.}, at: rfcomm_dev_ioctl+0x923/0x1c90 [ 61.942266] #2: 000000005cc73143 (&obj_hash[i].lock){-.-.}, at: debug_check_no_obj_freed+0xbe/0x464 [ 61.942276] [ 61.942277] stack backtrace: [ 61.942281] CPU: 0 PID: 7933 Comm: syz-executor381 Not tainted 4.19.91-syzkaller #0 [ 61.942286] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.942288] Call Trace: [ 61.942290] dump_stack+0x197/0x210 [ 61.942293] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 61.942295] __lock_acquire+0x2e19/0x49c0 [ 61.942298] ? mark_held_locks+0x100/0x100 [ 61.942300] ? kvm_clock_read+0x18/0x30 [ 61.942303] ? kvm_sched_clock_read+0x9/0x20 [ 61.942305] lock_acquire+0x16f/0x3f0 [ 61.942307] ? down_trylock+0x13/0x70 [ 61.942310] _raw_spin_lock_irqsave+0x95/0xcd [ 61.942312] ? down_trylock+0x13/0x70 [ 61.942314] ? vprintk_emit+0x267/0x6d0 [ 61.942317] down_trylock+0x13/0x70 [ 61.942319] ? vprintk_emit+0x267/0x6d0 [ 61.942322] __down_trylock_console_sem+0xa8/0x210 [ 61.942324] console_trylock+0x15/0xa0 [ 61.942326] vprintk_emit+0x267/0x6d0 [ 61.942329] ? __internal_add_timer+0x1f0/0x1f0 [ 61.942331] vprintk_default+0x28/0x30 [ 61.942334] vprintk_func+0x7e/0x189 [ 61.942336] printk+0xba/0xed [ 61.942338] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 61.942340] ? __warn_printk+0x8f/0xf3 [ 61.942343] ? rfcomm_dlc_link+0x170/0x170 [ 61.942345] __warn_printk+0x9b/0xf3 [ 61.942348] ? add_taint.cold+0x16/0x16 [ 61.942350] ? skb_dequeue+0x12e/0x180 [ 61.942353] ? rfcomm_dlc_link+0x170/0x170 [ 61.942355] debug_print_object+0x168/0x250 [ 61.942358] debug_check_no_obj_freed+0x29f/0x464 [ 61.942360] kfree+0xbd/0x220 [ 61.942362] rfcomm_dlc_free+0x20/0x30 [ 61.942364] rfcomm_dev_ioctl+0x1988/0x1c90 [ 61.942367] ? mark_held_locks+0xb1/0x100 [ 61.942369] ? lock_sock_nested+0xe2/0x120 [ 61.942372] ? rfcomm_tty_install+0x1a0/0x1a0 [ 61.942374] ? lock_sock_nested+0x9a/0x120 [ 61.942377] ? trace_hardirqs_on+0x67/0x220 [ 61.942379] ? __local_bh_enable_ip+0x15a/0x270 [ 61.942382] rfcomm_sock_ioctl+0x90/0xb0 [ 61.942384] sock_do_ioctl+0xd8/0x2f0 [ 61.942387] ? compat_ifr_data_ioctl+0x160/0x160 [ 61.942389] ? __lock_acquire+0x6ee/0x49c0 [ 61.942392] ? rcu_read_lock_sched_held+0x110/0x130 [ 61.942394] ? kmem_cache_alloc+0x32a/0x700 [ 61.942397] sock_ioctl+0x325/0x610 [ 61.942399] ? dlci_ioctl_set+0x40/0x40 [ 61.942402] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 61.942404] ? __might_sleep+0x95/0x190 [ 61.942407] ? find_held_lock+0x35/0x130 [ 61.942409] ? dlci_ioctl_set+0x40/0x40 [ 61.942411] do_vfs_ioctl+0xd5f/0x1380 [ 61.942414] ? selinux_file_ioctl+0x46f/0x5e0 [ 61.942417] ? selinux_file_ioctl+0x125/0x5e0 [ 61.942419] ? ioctl_preallocate+0x210/0x210 [ 61.942422] ? selinux_file_mprotect+0x620/0x620 [ 61.942425] ? __sanitizer_cov_trace_cmp1+0xb/0x20 [ 61.942427] ? __fd_install+0x200/0x640 [ 61.942429] ? fd_install+0x4d/0x60 [ 61.942432] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 61.942435] ? security_file_ioctl+0x8d/0xc0 [ 61.942437] ksys_ioctl+0xab/0xd0 [ 61.942439] __x64_sys_ioctl+0x73/0xb0 [ 61.942441] do_syscall_64+0xfd/0x620 [ 61.942444] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 61.942446] RIP: 0033:0x4412b9 [ 61.942455] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 61.942457] RSP: 002b:00007fff9e19a6a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 61.942464] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004412b9 [ 61.942467] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000004 [ 61.942471] RBP: 000000000000f003 R08: 00000000004002c8 R09: 00000000004002c8 [ 61.942475] R10: 00000000004002c8 R11: 0000000000000246 R12: 00000000004020e0 [ 61.942478] R13: 0000000000402170 R14: 0000000000000000 R15: 0000000000000000 [ 61.944373] Kernel Offset: disabled [ 62.922176] Rebooting in 86400 seconds..