[ 33.773226] audit: type=1800 audit(1584626949.647:33): pid=7121 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 33.800163] audit: type=1800 audit(1584626949.647:34): pid=7121 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 37.254168] random: sshd: uninitialized urandom read (32 bytes read) [ 37.553728] audit: type=1400 audit(1584626953.427:35): avc: denied { map } for pid=7293 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 37.605860] random: sshd: uninitialized urandom read (32 bytes read) [ 38.315049] random: sshd: uninitialized urandom read (32 bytes read) [ 38.502829] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.120' (ECDSA) to the list of known hosts. [ 44.095911] random: sshd: uninitialized urandom read (32 bytes read) [ 44.216806] audit: type=1400 audit(1584626960.087:36): avc: denied { map } for pid=7305 comm="syz-executor674" path="/root/syz-executor674885454" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 44.461072] IPVS: ftp: loaded support on port[0] = 21 executing program [ 45.233843] ODEBUG: activate active (active state 1) object type: rcu_head hint: (null) [ 45.243621] ------------[ cut here ]------------ [ 45.248397] WARNING: CPU: 1 PID: 7308 at lib/debugobjects.c:287 debug_print_object.cold+0xa7/0xdb [ 45.257396] Kernel panic - not syncing: panic_on_warn set ... [ 45.257396] [ 45.265440] CPU: 1 PID: 7308 Comm: syz-executor674 Not tainted 4.14.173-syzkaller #0 [ 45.273303] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.282743] Call Trace: [ 45.285325] dump_stack+0x13e/0x194 [ 45.288936] panic+0x1f9/0x42d [ 45.292124] ? add_taint.cold+0x16/0x16 [ 45.296108] ? debug_print_object.cold+0xa7/0xdb [ 45.300856] ? debug_print_object.cold+0xa7/0xdb [ 45.305595] __warn.cold+0x2f/0x30 [ 45.309117] ? ist_end_non_atomic+0x10/0x10 [ 45.313420] ? debug_print_object.cold+0xa7/0xdb [ 45.318308] report_bug+0x20a/0x248 [ 45.321923] do_error_trap+0x195/0x2d0 [ 45.325810] ? math_error+0x2d0/0x2d0 [ 45.329685] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 45.334614] invalid_op+0x1b/0x40 [ 45.338152] RIP: 0010:debug_print_object.cold+0xa7/0xdb [ 45.343498] RSP: 0018:ffff8880a8f9f430 EFLAGS: 00010082 [ 45.348866] RAX: 0000000000000055 RBX: 0000000000000003 RCX: 0000000000000000 [ 45.356133] RDX: 0000000000000000 RSI: ffffffff86ac07e0 RDI: ffffed10151f3e7c [ 45.363905] RBP: ffffffff86ab5ee0 R08: 0000000000000055 R09: 0000000000000000 [ 45.371156] R10: fffffbfff14a8cd8 R11: ffff88809500c480 R12: 0000000000000000 [ 45.378412] R13: 0000000000000001 R14: 1ffff110151f3e90 R15: ffffffff87d84240 [ 45.385928] debug_object_activate+0x307/0x450 [ 45.390509] ? debug_object_free+0x390/0x390 [ 45.394913] ? find_held_lock+0x2d/0x110 [ 45.398958] ? route4_walk+0x450/0x450 [ 45.402825] __call_rcu.constprop.0+0x31/0x7e0 [ 45.407396] route4_change+0xb27/0x1c4d [ 45.411374] ? route4_delete+0x760/0x760 [ 45.415416] ? route4_delete+0x760/0x760 [ 45.419457] tc_ctl_tfilter+0xf13/0x18e6 [ 45.423501] ? tfilter_notify+0x240/0x240 [ 45.427644] ? mutex_trylock+0x1a0/0x1a0 [ 45.431687] ? rtnetlink_rcv_msg+0x2e8/0xb10 [ 45.436091] ? tfilter_notify+0x240/0x240 [ 45.440234] rtnetlink_rcv_msg+0x3be/0xb10 [ 45.444469] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 45.449034] ? save_trace+0x290/0x290 [ 45.453506] ? save_trace+0x290/0x290 [ 45.457285] netlink_rcv_skb+0x127/0x370 [ 45.461342] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 45.465906] ? netlink_ack+0x960/0x960 [ 45.469775] netlink_unicast+0x437/0x620 [ 45.473921] ? netlink_attachskb+0x600/0x600 [ 45.478308] netlink_sendmsg+0x733/0xbe0 [ 45.482349] ? netlink_unicast+0x620/0x620 [ 45.486578] ? SYSC_sendto+0x2b0/0x2b0 [ 45.490448] ? security_socket_sendmsg+0x83/0xb0 [ 45.495181] ? netlink_unicast+0x620/0x620 [ 45.499398] sock_sendmsg+0xc5/0x100 [ 45.503092] ___sys_sendmsg+0x70a/0x840 [ 45.507071] ? trace_hardirqs_on+0x10/0x10 [ 45.511293] ? copy_msghdr_from_user+0x380/0x380 [ 45.516032] ? find_held_lock+0x2d/0x110 [ 45.520073] ? lock_downgrade+0x6e0/0x6e0 [ 45.524203] ? __fget+0x228/0x360 [ 45.527652] ? __fget_light+0x199/0x1f0 [ 45.531615] ? sockfd_lookup_light+0xb2/0x160 [ 45.536089] __sys_sendmsg+0xa3/0x120 [ 45.539872] ? SyS_shutdown+0x160/0x160 [ 45.543836] ? move_addr_to_kernel+0x60/0x60 [ 45.548918] ? __do_page_fault+0x35b/0xb40 [ 45.553135] SyS_sendmsg+0x27/0x40 [ 45.556653] ? __sys_sendmsg+0x120/0x120 [ 45.561155] do_syscall_64+0x1d5/0x640 [ 45.565208] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.570378] RIP: 0033:0x446e89 [ 45.573549] RSP: 002b:00007fd9aa73cd98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 45.581398] RAX: ffffffffffffffda RBX: 00000000006dbc68 RCX: 0000000000446e89 [ 45.588659] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003 [ 45.595966] RBP: 00000000006dbc60 R08: 0000000000000000 R09: 0000000000000000 [ 45.603318] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc6c [ 45.611374] R13: 0000000000000005 R14: 00a3a20740000000 R15: 0507002400000038 [ 45.618636] [ 45.618639] ====================================================== [ 45.618640] WARNING: possible circular locking dependency detected [ 45.618642] 4.14.173-syzkaller #0 Not tainted [ 45.618643] ------------------------------------------------------ [ 45.618645] syz-executor674/7308 is trying to acquire lock: [ 45.618646] ((console_sem).lock){-...}, at: [] down_trylock+0xe/0x60 [ 45.618650] [ 45.618651] but task is already holding lock: [ 45.618652] (&obj_hash[i].lock){-.-.}, at: [] debug_object_activate+0x10b/0x450 [ 45.618656] [ 45.618658] which lock already depends on the new lock. [ 45.618658] [ 45.618659] [ 45.618661] the existing dependency chain (in reverse order) is: [ 45.618661] [ 45.618673] -> #5 (&obj_hash[i].lock){-.-.}: [ 45.618677] _raw_spin_lock_irqsave+0x8c/0xbf [ 45.618678] debug_object_activate+0x10b/0x450 [ 45.618680] enqueue_hrtimer+0x22/0x3b0 [ 45.618681] hrtimer_start_range_ns+0x4e6/0x1060 [ 45.618683] schedule_hrtimeout_range_clock+0x13c/0x2f0 [ 45.618684] wait_task_inactive+0x478/0x530 [ 45.618685] __kthread_bind_mask+0x1f/0xb0 [ 45.618686] create_worker+0x313/0x530 [ 45.618688] workqueue_init+0x55f/0x66e [ 45.618689] kernel_init_freeable+0x2ab/0x526 [ 45.618690] kernel_init+0xd/0x15b [ 45.618691] ret_from_fork+0x24/0x30 [ 45.618692] [ 45.618693] -> #4 (hrtimer_bases.lock){-.-.}: [ 45.618697] _raw_spin_lock_irqsave+0x8c/0xbf [ 45.618698] lock_hrtimer_base.isra.0+0x6d/0x120 [ 45.618700] hrtimer_start_range_ns+0x7b/0x1060 [ 45.618701] enqueue_task_rt+0x94d/0xdb0 [ 45.618702] __sched_setscheduler.constprop.0+0xc11/0x1f70 [ 45.618704] _sched_setscheduler+0xf9/0x150 [ 45.618705] watchdog_enable+0xff/0x150 [ 45.618706] smpboot_thread_fn+0x40d/0x920 [ 45.618707] kthread+0x30d/0x420 [ 45.618708] ret_from_fork+0x24/0x30 [ 45.618709] [ 45.618710] -> #3 (&rt_b->rt_runtime_lock){-.-.}: [ 45.618714] _raw_spin_lock+0x2a/0x40 [ 45.618715] enqueue_task_rt+0x508/0xdb0 [ 45.618717] __sched_setscheduler.constprop.0+0xc11/0x1f70 [ 45.618718] _sched_setscheduler+0xf9/0x150 [ 45.618719] watchdog_enable+0xff/0x150 [ 45.618720] smpboot_thread_fn+0x40d/0x920 [ 45.618722] kthread+0x30d/0x420 [ 45.618723] ret_from_fork+0x24/0x30 [ 45.618723] [ 45.618724] -> #2 (&rq->lock){-.-.}: [ 45.618728] _raw_spin_lock+0x2a/0x40 [ 45.618729] task_fork_fair+0x63/0x5b0 [ 45.618730] sched_fork+0x39a/0xbd0 [ 45.618731] copy_process.part.0+0x15b7/0x6a70 [ 45.618733] _do_fork+0x180/0xc80 [ 45.618734] kernel_thread+0x2f/0x40 [ 45.618735] rest_init+0x1f/0x1d2 [ 45.618736] start_kernel+0x659/0x676 [ 45.618737] secondary_startup_64+0xa5/0xb0 [ 45.618738] [ 45.618739] -> #1 (&p->pi_lock){-.-.}: [ 45.618743] _raw_spin_lock_irqsave+0x8c/0xbf [ 45.618744] try_to_wake_up+0x6a/0xef0 [ 45.618745] up+0x92/0xe0 [ 45.618746] __up_console_sem+0xa9/0x1b0 [ 45.618747] console_unlock+0x596/0xec0 [ 45.618748] vprintk_emit+0x1f8/0x600 [ 45.618750] vprintk_func+0x58/0x152 [ 45.618751] printk+0x9e/0xbc [ 45.618752] kauditd_hold_skb.cold+0x3e/0x4d [ 45.618753] kauditd_send_queue+0xfb/0x140 [ 45.618754] kauditd_thread+0x625/0x840 [ 45.618756] kthread+0x30d/0x420 [ 45.618757] ret_from_fork+0x24/0x30 [ 45.618757] [ 45.618758] -> #0 ((console_sem).lock){-...}: [ 45.618762] lock_acquire+0x170/0x3f0 [ 45.618763] _raw_spin_lock_irqsave+0x8c/0xbf [ 45.618765] down_trylock+0xe/0x60 [ 45.618766] __down_trylock_console_sem+0x97/0x1f0 [ 45.618767] console_trylock+0x14/0x70 [ 45.618768] vprintk_emit+0x1ea/0x600 [ 45.618770] vprintk_func+0x58/0x152 [ 45.618771] printk+0x9e/0xbc [ 45.618772] debug_print_object.cold+0xa7/0xdb [ 45.618773] debug_object_activate+0x307/0x450 [ 45.618775] __call_rcu.constprop.0+0x31/0x7e0 [ 45.618776] route4_change+0xb27/0x1c4d [ 45.618777] tc_ctl_tfilter+0xf13/0x18e6 [ 45.618778] rtnetlink_rcv_msg+0x3be/0xb10 [ 45.618780] netlink_rcv_skb+0x127/0x370 [ 45.618781] netlink_unicast+0x437/0x620 [ 45.618782] netlink_sendmsg+0x733/0xbe0 [ 45.618783] sock_sendmsg+0xc5/0x100 [ 45.618784] ___sys_sendmsg+0x70a/0x840 [ 45.618785] __sys_sendmsg+0xa3/0x120 [ 45.618787] SyS_sendmsg+0x27/0x40 [ 45.618788] do_syscall_64+0x1d5/0x640 [ 45.618789] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.618790] [ 45.618791] other info that might help us debug this: [ 45.618792] [ 45.618793] Chain exists of: [ 45.618793] (console_sem).lock --> hrtimer_bases.lock --> &obj_hash[i].lock [ 45.618799] [ 45.618800] Possible unsafe locking scenario: [ 45.618800] [ 45.618802] CPU0 CPU1 [ 45.618803] ---- ---- [ 45.618803] lock(&obj_hash[i].lock); [ 45.618806] lock(hrtimer_bases.lock); [ 45.618809] lock(&obj_hash[i].lock); [ 45.618811] lock((console_sem).lock); [ 45.618814] [ 45.618815] *** DEADLOCK *** [ 45.618815] [ 45.618817] 2 locks held by syz-executor674/7308: [ 45.618817] #0: (rtnl_mutex){+.+.}, at: [] rtnetlink_rcv_msg+0x31d/0xb10 [ 45.618822] #1: (&obj_hash[i].lock){-.-.}, at: [] debug_object_activate+0x10b/0x450 [ 45.618826] [ 45.618827] stack backtrace: [ 45.618829] CPU: 1 PID: 7308 Comm: syz-executor674 Not tainted 4.14.173-syzkaller #0 [ 45.618831] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.618832] Call Trace: [ 45.618833] dump_stack+0x13e/0x194 [ 45.618835] print_circular_bug.isra.0.cold+0x1c4/0x282 [ 45.618836] __lock_acquire+0x2cb3/0x4620 [ 45.618837] ? string+0x17e/0x1d0 [ 45.618838] ? trace_hardirqs_on+0x10/0x10 [ 45.618840] ? netdev_bits+0xa0/0xa0 [ 45.618841] ? kvm_clock_read+0x1f/0x30 [ 45.618842] ? kvm_sched_clock_read+0x5/0x10 [ 45.618843] lock_acquire+0x170/0x3f0 [ 45.618844] ? down_trylock+0xe/0x60 [ 45.618845] _raw_spin_lock_irqsave+0x8c/0xbf [ 45.618846] ? down_trylock+0xe/0x60 [ 45.618848] down_trylock+0xe/0x60 [ 45.618849] ? vprintk_emit+0x1ea/0x600 [ 45.618850] __down_trylock_console_sem+0x97/0x1f0 [ 45.618851] console_trylock+0x14/0x70 [ 45.618852] vprintk_emit+0x1ea/0x600 [ 45.618853] vprintk_func+0x58/0x152 [ 45.618854] printk+0x9e/0xbc [ 45.618856] ? show_regs_print_info+0x5b/0x5b [ 45.618857] ? lock_acquire+0x170/0x3f0 [ 45.618858] ? debug_object_activate+0x10b/0x450 [ 45.618860] debug_print_object.cold+0xa7/0xdb [ 45.618861] debug_object_activate+0x307/0x450 [ 45.618862] ? debug_object_free+0x390/0x390 [ 45.618863] ? find_held_lock+0x2d/0x110 [ 45.618865] ? route4_walk+0x450/0x450 [ 45.618866] __call_rcu.constprop.0+0x31/0x7e0 [ 45.618867] route4_change+0xb27/0x1c4d [ 45.618868] ? route4_delete+0x760/0x760 [ 45.618869] ? route4_delete+0x760/0x760 [ 45.618870] tc_ctl_tfilter+0xf13/0x18e6 [ 45.618872] ? tfilter_notify+0x240/0x240 [ 45.618873] ? mutex_trylock+0x1a0/0x1a0 [ 45.618874] ? rtnetlink_rcv_msg+0x2e8/0xb10 [ 45.618875] ? tfilter_notify+0x240/0x240 [ 45.618877] rtnetlink_rcv_msg+0x3be/0xb10 [ 45.618878] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 45.618879] ? save_trace+0x290/0x290 [ 45.618880] ? save_trace+0x290/0x290 [ 45.618881] netlink_rcv_skb+0x127/0x370 [ 45.618883] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 45.618884] ? netlink_ack+0x960/0x960 [ 45.618885] netlink_unicast+0x437/0x620 [ 45.618886] ? netlink_attachskb+0x600/0x600 [ 45.618887] netlink_sendmsg+0x733/0xbe0 [ 45.618889] ? netlink_unicast+0x620/0x620 [ 45.618890] ? SYSC_sendto+0x2b0/0x2b0 [ 45.618891] ? security_socket_sendmsg+0x83/0xb0 [ 45.618892] ? netlink_unicast+0x620/0x620 [ 45.618893] sock_sendmsg+0xc5/0x100 [ 45.618895] ___sys_sendmsg+0x70a/0x840 [ 45.618896] ? trace_hardirqs_on+0x10/0x10 [ 45.618897] ? copy_msghdr_from_user+0x380/0x380 [ 45.618898] ? find_held_lock+0x2d/0x110 [ 45.618899] ? lock_downgrade+0x6e0/0x6e0 [ 45.618900] ? __fget+0x228/0x360 [ 45.618902] ? __fget_light+0x199/0x1f0 [ 45.618903] ? sockfd_lookup_light+0xb2/0x160 [ 45.618904] __sys_sendmsg+0xa3/0x120 [ 45.618905] ? SyS_shutdown+0x160/0x160 [ 45.618906] ? move_addr_to_kernel+0x60/0x60 [ 45.618908] ? __do_page_fault+0x35b/0xb40 [ 45.618909] SyS_sendmsg+0x27/0x40 [ 45.618910] ? __sys_sendmsg+0x120/0x120 [ 45.618911] do_syscall_64+0x1d5/0x640 [ 45.618912] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.618913] RIP: 0033:0x446e89 [ 45.618915] RSP: 002b:00007fd9aa73cd98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 45.618918] RAX: ffffffffffffffda RBX: 00000000006dbc68 RCX: 0000000000446e89 [ 45.618920] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003 [ 45.618922] RBP: 00000000006dbc60 R08: 0000000000000000 R09: 0000000000000000 [ 45.618924] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc6c [ 45.618925] R13: 0000000000000005 R14: 00a3a20740000000 R15: 0507002400000038 [ 45.620408] Kernel Offset: disabled [ 46.520536] Rebooting in 86400 seconds..