[   34.849807] audit: type=1800 audit(1583380149.626:33): pid=7259 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0
[   34.877212] audit: type=1800 audit(1583380149.626:34): pid=7259 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   39.362597] random: sshd: uninitialized urandom read (32 bytes read)
[   39.595748] audit: type=1400 audit(1583380154.376:35): avc:  denied  { map } for  pid=7431 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   39.648570] random: sshd: uninitialized urandom read (32 bytes read)
[   40.377428] random: sshd: uninitialized urandom read (32 bytes read)
[   40.566464] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.33' (ECDSA) to the list of known hosts.
[   46.189538] random: sshd: uninitialized urandom read (32 bytes read)
[   46.315733] audit: type=1400 audit(1583380161.096:36): avc:  denied  { map } for  pid=7443 comm="syz-executor257" path="/root/syz-executor257956079" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   46.551040] IPVS: ftp: loaded support on port[0] = 21
executing program
[   47.340991] ODEBUG: activate active (active state 1) object type: rcu_head hint:           (null)
[   47.350687] ------------[ cut here ]------------
[   47.355526] WARNING: CPU: 1 PID: 7446 at lib/debugobjects.c:287 debug_print_object.cold+0xa7/0xdb
[   47.364523] Kernel panic - not syncing: panic_on_warn set ...
[   47.364523] 
[   47.371875] CPU: 1 PID: 7446 Comm: syz-executor257 Not tainted 4.14.172-syzkaller #0
[   47.379743] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   47.389086] Call Trace:
[   47.391940]  dump_stack+0x13e/0x194
[   47.395567]  panic+0x1f9/0x42d
[   47.398743]  ? add_taint.cold+0x16/0x16
[   47.402727]  ? debug_print_object.cold+0xa7/0xdb
[   47.407475]  ? debug_print_object.cold+0xa7/0xdb
[   47.412223]  __warn.cold+0x2f/0x30
[   47.415752]  ? ist_end_non_atomic+0x10/0x10
[   47.420059]  ? debug_print_object.cold+0xa7/0xdb
[   47.424870]  report_bug+0x20a/0x248
[   47.428484]  do_error_trap+0x195/0x2d0
[   47.432362]  ? math_error+0x2d0/0x2d0
[   47.436235]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   47.441069]  invalid_op+0x1b/0x40
[   47.444516] RIP: 0010:debug_print_object.cold+0xa7/0xdb
[   47.449875] RSP: 0018:ffff888096397430 EFLAGS: 00010082
[   47.455233] RAX: 0000000000000055 RBX: 0000000000000003 RCX: 0000000000000000
[   47.462504] RDX: 0000000000000000 RSI: ffffffff86ac0860 RDI: ffffed1012c72e7c
[   47.469762] RBP: ffffffff86ab5f60 R08: 0000000000000055 R09: 0000000000000000
[   47.477020] R10: fffffbfff14a8ce0 R11: ffff888098f68440 R12: 0000000000000000
[   47.484275] R13: 0000000000000001 R14: 1ffff11012c72e90 R15: ffffffff87d842c0
[   47.491563]  debug_object_activate+0x307/0x450
[   47.496126]  ? debug_object_free+0x390/0x390
[   47.500633]  ? find_held_lock+0x2d/0x110
[   47.504735]  ? route4_walk+0x450/0x450
[   47.508650]  __call_rcu.constprop.0+0x31/0x7e0
[   47.513228]  route4_change+0xb27/0x1c4d
[   47.517187]  ? route4_delete+0x760/0x760
[   47.521228]  ? route4_delete+0x760/0x760
[   47.525277]  tc_ctl_tfilter+0xf13/0x18e6
[   47.529319]  ? tfilter_notify+0x240/0x240
[   47.533458]  ? mutex_trylock+0x1a0/0x1a0
[   47.537596]  ? rtnetlink_rcv_msg+0x2e8/0xb10
[   47.542152]  ? tfilter_notify+0x240/0x240
[   47.546281]  rtnetlink_rcv_msg+0x3be/0xb10
[   47.550512]  ? rtnl_bridge_getlink+0x7a0/0x7a0
[   47.555095]  ? save_trace+0x290/0x290
[   47.558879]  ? save_trace+0x290/0x290
[   47.562672]  netlink_rcv_skb+0x127/0x370
[   47.566731]  ? rtnl_bridge_getlink+0x7a0/0x7a0
[   47.571310]  ? netlink_ack+0x960/0x960
[   47.575183]  netlink_unicast+0x437/0x620
[   47.579229]  ? netlink_attachskb+0x600/0x600
[   47.583646]  netlink_sendmsg+0x733/0xbe0
[   47.587686]  ? netlink_unicast+0x620/0x620
[   47.591911]  ? SYSC_sendto+0x2b0/0x2b0
[   47.595776]  ? security_socket_sendmsg+0x83/0xb0
[   47.600594]  ? netlink_unicast+0x620/0x620
[   47.604804]  sock_sendmsg+0xc5/0x100
[   47.608494]  ___sys_sendmsg+0x70a/0x840
[   47.612449]  ? trace_hardirqs_on+0x10/0x10
[   47.616660]  ? copy_msghdr_from_user+0x380/0x380
[   47.621393]  ? save_trace+0x290/0x290
[   47.625171]  ? find_held_lock+0x2d/0x110
[   47.629209]  ? lock_downgrade+0x6e0/0x6e0
[   47.633340]  ? __fget+0x228/0x360
[   47.636772]  ? __fget_light+0x199/0x1f0
[   47.640773]  ? sockfd_lookup_light+0xb2/0x160
[   47.645253]  __sys_sendmsg+0xa3/0x120
[   47.649044]  ? SyS_shutdown+0x160/0x160
[   47.653016]  ? move_addr_to_kernel+0x60/0x60
[   47.657405]  SyS_sendmsg+0x27/0x40
[   47.660924]  ? __sys_sendmsg+0x120/0x120
[   47.664978]  do_syscall_64+0x1d5/0x640
[   47.668860]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   47.674229] RIP: 0033:0x447069
[   47.677415] RSP: 002b:00007f18cd363d98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   47.685105] RAX: ffffffffffffffda RBX: 00000000006ddc78 RCX: 0000000000447069
[   47.692355] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003
[   47.699602] RBP: 00000000006ddc70 R08: 0000000000000000 R09: 0000000000000000
[   47.706848] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006ddc7c
[   47.714093] R13: 0000000000000005 R14: 00a3a20740000000 R15: 0507002400000038
[   47.721348] 
[   47.721350] ======================================================
[   47.721352] WARNING: possible circular locking dependency detected
[   47.721353] 4.14.172-syzkaller #0 Not tainted
[   47.721355] ------------------------------------------------------
[   47.721356] syz-executor257/7446 is trying to acquire lock:
[   47.721357]  ((console_sem).lock){-...}, at: [<ffffffff81452f6e>] down_trylock+0xe/0x60
[   47.721361] 
[   47.721362] but task is already holding lock:
[   47.721363]  (&obj_hash[i].lock){-.-.}, at: [<ffffffff82fe14fb>] debug_object_activate+0x10b/0x450
[   47.721367] 
[   47.721368] which lock already depends on the new lock.
[   47.721369] 
[   47.721369] 
[   47.721371] the existing dependency chain (in reverse order) is:
[   47.721372] 
[   47.721372] -> #5 (&obj_hash[i].lock){-.-.}:
[   47.721376]        _raw_spin_lock_irqsave+0x8c/0xbf
[   47.721378]        debug_object_activate+0x10b/0x450
[   47.721379]        enqueue_hrtimer+0x22/0x3b0
[   47.721380]        hrtimer_start_range_ns+0x4e6/0x1060
[   47.721381]        schedule_hrtimeout_range_clock+0x13c/0x2f0
[   47.721383]        wait_task_inactive+0x478/0x530
[   47.721384]        __kthread_bind_mask+0x1f/0xb0
[   47.721385]        create_worker+0x313/0x530
[   47.721386]        workqueue_init+0x55f/0x66e
[   47.721387]        kernel_init_freeable+0x2ab/0x526
[   47.721388]        kernel_init+0xd/0x15b
[   47.721390]        ret_from_fork+0x24/0x30
[   47.721394] 
[   47.721395] -> #4 (hrtimer_bases.lock){-.-.}:
[   47.721399]        _raw_spin_lock_irqsave+0x8c/0xbf
[   47.721400]        lock_hrtimer_base.isra.0+0x6d/0x120
[   47.721401]        hrtimer_start_range_ns+0x7b/0x1060
[   47.721403]        enqueue_task_rt+0x94d/0xdb0
[   47.721404]        __sched_setscheduler.constprop.0+0xc11/0x1f70
[   47.721405]        _sched_setscheduler+0xf9/0x150
[   47.721406]        watchdog_enable+0xff/0x150
[   47.721407]        smpboot_thread_fn+0x40d/0x920
[   47.721409]        kthread+0x30d/0x420
[   47.721410]        ret_from_fork+0x24/0x30
[   47.721410] 
[   47.721411] -> #3 (&rt_b->rt_runtime_lock){-...}:
[   47.721415]        _raw_spin_lock+0x2a/0x40
[   47.721416]        enqueue_task_rt+0x508/0xdb0
[   47.721418]        __sched_setscheduler.constprop.0+0xc11/0x1f70
[   47.721419]        _sched_setscheduler+0xf9/0x150
[   47.721420]        watchdog_enable+0xff/0x150
[   47.721421]        smpboot_thread_fn+0x40d/0x920
[   47.721422]        kthread+0x30d/0x420
[   47.721423]        ret_from_fork+0x24/0x30
[   47.721424] 
[   47.721425] -> #2 (&rq->lock){-.-.}:
[   47.721428]        _raw_spin_lock+0x2a/0x40
[   47.721430]        task_fork_fair+0x63/0x5b0
[   47.721431]        sched_fork+0x39a/0xbd0
[   47.721432]        copy_process.part.0+0x15b7/0x6a70
[   47.721433]        _do_fork+0x180/0xc80
[   47.721434]        kernel_thread+0x2f/0x40
[   47.721435]        rest_init+0x1f/0x1d2
[   47.721436]        start_kernel+0x659/0x676
[   47.721437]        secondary_startup_64+0xa5/0xb0
[   47.721438] 
[   47.721439] -> #1 (&p->pi_lock){-.-.}:
[   47.721443]        _raw_spin_lock_irqsave+0x8c/0xbf
[   47.721444]        try_to_wake_up+0x6a/0xef0
[   47.721445]        up+0x92/0xe0
[   47.721446]        __up_console_sem+0xa9/0x1b0
[   47.721447]        console_unlock+0x596/0xec0
[   47.721448]        vprintk_emit+0x1f8/0x600
[   47.721449]        vprintk_func+0x58/0x152
[   47.721450]        printk+0x9e/0xbc
[   47.721452]        kauditd_hold_skb.cold+0x3e/0x4d
[   47.721453]        kauditd_send_queue+0xfb/0x140
[   47.721454]        kauditd_thread+0x625/0x840
[   47.721455]        kthread+0x30d/0x420
[   47.721456]        ret_from_fork+0x24/0x30
[   47.721457] 
[   47.721457] -> #0 ((console_sem).lock){-...}:
[   47.721461]        lock_acquire+0x170/0x3f0
[   47.721463]        _raw_spin_lock_irqsave+0x8c/0xbf
[   47.721464]        down_trylock+0xe/0x60
[   47.721465]        __down_trylock_console_sem+0x97/0x1f0
[   47.721466]        console_trylock+0x14/0x70
[   47.721467]        vprintk_emit+0x1ea/0x600
[   47.721469]        vprintk_func+0x58/0x152
[   47.721470]        printk+0x9e/0xbc
[   47.721471]        debug_print_object.cold+0xa7/0xdb
[   47.721472]        debug_object_activate+0x307/0x450
[   47.721473]        __call_rcu.constprop.0+0x31/0x7e0
[   47.721475]        route4_change+0xb27/0x1c4d
[   47.721476]        tc_ctl_tfilter+0xf13/0x18e6
[   47.721477]        rtnetlink_rcv_msg+0x3be/0xb10
[   47.721478]        netlink_rcv_skb+0x127/0x370
[   47.721479]        netlink_unicast+0x437/0x620
[   47.721480]        netlink_sendmsg+0x733/0xbe0
[   47.721482]        sock_sendmsg+0xc5/0x100
[   47.721483]        ___sys_sendmsg+0x70a/0x840
[   47.721484]        __sys_sendmsg+0xa3/0x120
[   47.721485]        SyS_sendmsg+0x27/0x40
[   47.721486]        do_syscall_64+0x1d5/0x640
[   47.721487]        entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   47.721488] 
[   47.721489] other info that might help us debug this:
[   47.721490] 
[   47.721491] Chain exists of:
[   47.721492]   (console_sem).lock --> hrtimer_bases.lock --> &obj_hash[i].lock
[   47.721497] 
[   47.721498]  Possible unsafe locking scenario:
[   47.721499] 
[   47.721500]        CPU0                    CPU1
[   47.721501]        ----                    ----
[   47.721502]   lock(&obj_hash[i].lock);
[   47.721504]                                lock(hrtimer_bases.lock);
[   47.721507]                                lock(&obj_hash[i].lock);
[   47.721509]   lock((console_sem).lock);
[   47.721512] 
[   47.721512]  *** DEADLOCK ***
[   47.721513] 
[   47.721514] 2 locks held by syz-executor257/7446:
[   47.721515]  #0:  (rtnl_mutex){+.+.}, at: [<ffffffff850266dd>] rtnetlink_rcv_msg+0x31d/0xb10
[   47.721519]  #1:  (&obj_hash[i].lock){-.-.}, at: [<ffffffff82fe14fb>] debug_object_activate+0x10b/0x450
[   47.721524] 
[   47.721525] stack backtrace:
[   47.721526] CPU: 1 PID: 7446 Comm: syz-executor257 Not tainted 4.14.172-syzkaller #0
[   47.721529] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   47.721529] Call Trace:
[   47.721531]  dump_stack+0x13e/0x194
[   47.721532]  print_circular_bug.isra.0.cold+0x1c4/0x282
[   47.721533]  __lock_acquire+0x2cb3/0x4620
[   47.721534]  ? string+0x17e/0x1d0
[   47.721535]  ? trace_hardirqs_on+0x10/0x10
[   47.721536]  ? netdev_bits+0xa0/0xa0
[   47.721537]  ? kvm_clock_read+0x1f/0x30
[   47.721539]  ? kvm_sched_clock_read+0x5/0x10
[   47.721540]  lock_acquire+0x170/0x3f0
[   47.721541]  ? down_trylock+0xe/0x60
[   47.721542]  _raw_spin_lock_irqsave+0x8c/0xbf
[   47.721543]  ? down_trylock+0xe/0x60
[   47.721544]  down_trylock+0xe/0x60
[   47.721545]  ? vprintk_emit+0x1ea/0x600
[   47.721546]  __down_trylock_console_sem+0x97/0x1f0
[   47.721548]  console_trylock+0x14/0x70
[   47.721549]  vprintk_emit+0x1ea/0x600
[   47.721550]  vprintk_func+0x58/0x152
[   47.721551]  printk+0x9e/0xbc
[   47.721552]  ? show_regs_print_info+0x5b/0x5b
[   47.721553]  ? lock_acquire+0x170/0x3f0
[   47.721554]  ? debug_object_activate+0x10b/0x450
[   47.721555]  debug_print_object.cold+0xa7/0xdb
[   47.721557]  debug_object_activate+0x307/0x450
[   47.721558]  ? debug_object_free+0x390/0x390
[   47.721559]  ? find_held_lock+0x2d/0x110
[   47.721560]  ? route4_walk+0x450/0x450
[   47.721561]  __call_rcu.constprop.0+0x31/0x7e0
[   47.721562]  route4_change+0xb27/0x1c4d
[   47.721563]  ? route4_delete+0x760/0x760
[   47.721565]  ? route4_delete+0x760/0x760
[   47.721566]  tc_ctl_tfilter+0xf13/0x18e6
[   47.721567]  ? tfilter_notify+0x240/0x240
[   47.721568]  ? mutex_trylock+0x1a0/0x1a0
[   47.721569]  ? rtnetlink_rcv_msg+0x2e8/0xb10
[   47.721570]  ? tfilter_notify+0x240/0x240
[   47.721571]  rtnetlink_rcv_msg+0x3be/0xb10
[   47.721573]  ? rtnl_bridge_getlink+0x7a0/0x7a0
[   47.721574]  ? save_trace+0x290/0x290
[   47.721575]  ? save_trace+0x290/0x290
[   47.721576]  netlink_rcv_skb+0x127/0x370
[   47.721577]  ? rtnl_bridge_getlink+0x7a0/0x7a0
[   47.721578]  ? netlink_ack+0x960/0x960
[   47.721579]  netlink_unicast+0x437/0x620
[   47.721580]  ? netlink_attachskb+0x600/0x600
[   47.721582]  netlink_sendmsg+0x733/0xbe0
[   47.721583]  ? netlink_unicast+0x620/0x620
[   47.721584]  ? SYSC_sendto+0x2b0/0x2b0
[   47.721585]  ? security_socket_sendmsg+0x83/0xb0
[   47.721586]  ? netlink_unicast+0x620/0x620
[   47.721587]  sock_sendmsg+0xc5/0x100
[   47.721588]  ___sys_sendmsg+0x70a/0x840
[   47.721589]  ? trace_hardirqs_on+0x10/0x10
[   47.721591]  ? copy_msghdr_from_user+0x380/0x380
[   47.721592]  ? save_trace+0x290/0x290
[   47.721593]  ? find_held_lock+0x2d/0x110
[   47.721594]  ? lock_downgrade+0x6e0/0x6e0
[   47.721595]  ? __fget+0x228/0x360
[   47.721596]  ? __fget_light+0x199/0x1f0
[   47.721597]  ? sockfd_lookup_light+0xb2/0x160
[   47.721598]  __sys_sendmsg+0xa3/0x120
[   47.721600]  ? SyS_shutdown+0x160/0x160
[   47.721601]  ? move_addr_to_kernel+0x60/0x60
[   47.721602]  SyS_sendmsg+0x27/0x40
[   47.721603]  ? __sys_sendmsg+0x120/0x120
[   47.721604]  do_syscall_64+0x1d5/0x640
[   47.721605]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   47.721606] RIP: 0033:0x447069
[   47.721607] RSP: 002b:00007f18cd363d98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   47.721610] RAX: ffffffffffffffda RBX: 00000000006ddc78 RCX: 0000000000447069
[   47.721612] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003
[   47.721614] RBP: 00000000006ddc70 R08: 0000000000000000 R09: 0000000000000000
[   47.721616] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006ddc7c
[   47.721617] R13: 0000000000000005 R14: 00a3a20740000000 R15: 0507002400000038
[   47.723053] Kernel Offset: disabled
[   48.608550] Rebooting in 86400 seconds..