[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 30.650196] random: sshd: uninitialized urandom read (32 bytes read) [ 30.857759] kauditd_printk_skb: 10 callbacks suppressed [ 30.857766] audit: type=1400 audit(1575574944.497:35): avc: denied { map } for pid=7015 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 30.912516] random: sshd: uninitialized urandom read (32 bytes read) [ 31.480545] random: sshd: uninitialized urandom read (32 bytes read) [ 31.670346] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.79' (ECDSA) to the list of known hosts. [ 37.298261] random: sshd: uninitialized urandom read (32 bytes read) [ 37.411420] audit: type=1400 audit(1575574951.057:36): avc: denied { map } for pid=7029 comm="syz-executor075" path="/root/syz-executor075667365" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 37.650925] IPVS: ftp: loaded support on port[0] = 21 executing program [ 38.415167] audit: type=1400 audit(1575574952.057:37): avc: denied { create } for pid=7030 comm="syz-executor075" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 38.439783] audit: type=1400 audit(1575574952.057:38): avc: denied { write } for pid=7030 comm="syz-executor075" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 38.467686] audit: type=1400 audit(1575574952.057:39): avc: denied { read } for pid=7030 comm="syz-executor075" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 38.493857] sp0: Synchronizing with TNC [ 40.560612] Bluetooth: hci0 command 0x1003 tx timeout [ 40.568575] Bluetooth: hci0 sending frame failed (-49) [ 42.640213] Bluetooth: hci0 command 0x1001 tx timeout [ 42.645589] Bluetooth: hci0 sending frame failed (-49) [ 43.520318] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:747 [ 43.529276] in_atomic(): 1, irqs_disabled(): 0, pid: 0, name: swapper/0 [ 43.536016] 1 lock held by swapper/0/0: [ 43.539973] #0: ((&sp->resync_t)){+.-.}, at: [] call_timer_fn+0xc8/0x670 [ 43.548554] Preemption disabled at: [ 43.548569] [] schedule_preempt_disabled+0x1d/0x20 [ 43.558646] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.14.158-syzkaller #0 [ 43.565924] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.575296] Call Trace: [ 43.577865] [ 43.580005] dump_stack+0x142/0x197 [ 43.583654] ? schedule_preempt_disabled+0x1d/0x20 [ 43.588586] ___might_sleep.cold+0x1bd/0x1f6 [ 43.592983] __might_sleep+0x93/0xb0 [ 43.596683] ? tpk_write+0x5d/0x2c0 [ 43.600300] __mutex_lock+0xb9/0x1470 [ 43.604310] ? tpk_write+0x5d/0x2c0 [ 43.607931] ? mutex_trylock+0x1c0/0x1c0 [ 43.611986] ? trace_hardirqs_on+0x10/0x10 [ 43.616212] ? debug_object_deactivate+0x1cc/0x350 [ 43.621175] ? find_held_lock+0x35/0x130 [ 43.625264] ? save_trace+0x290/0x290 [ 43.629045] mutex_lock_nested+0x16/0x20 [ 43.633120] ? mutex_lock_nested+0x16/0x20 [ 43.637337] tpk_write+0x5d/0x2c0 [ 43.640773] resync_tnc+0x1bc/0x3d0 [ 43.644384] call_timer_fn+0x161/0x670 [ 43.648256] ? sp_put+0x40/0x40 [ 43.651512] ? __next_timer_interrupt+0x140/0x140 [ 43.656342] ? trace_hardirqs_on_caller+0x19b/0x590 [ 43.661469] run_timer_softirq+0x5b7/0x1520 [ 43.665781] ? sp_put+0x40/0x40 [ 43.669052] ? add_timer+0xae0/0xae0 [ 43.672765] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 43.678216] __do_softirq+0x244/0x9a0 [ 43.682018] ? sched_clock+0x2e/0x50 [ 43.685732] irq_exit+0x160/0x1b0 [ 43.689173] smp_apic_timer_interrupt+0x146/0x5e0 [ 43.694037] apic_timer_interrupt+0x96/0xa0 [ 43.698346] [ 43.700567] RIP: 0010:native_safe_halt+0xe/0x10 [ 43.705213] RSP: 0018:ffffffff87e07de8 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff10 [ 43.712902] RAX: 1ffffffff0fe2d2c RBX: ffffffff87e76240 RCX: 0000000000000000 [ 43.720193] RDX: dffffc0000000000 RSI: 0000000000000001 RDI: ffffffff87e76abc [ 43.727587] RBP: ffffffff87e07e10 R08: 1ffffffff1164501 R09: 0000000000000000 [ 43.734850] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff87f16950 [ 43.742109] R13: 0000000000000000 R14: 0000000000000000 R15: ffffffff87e76240 [ 43.749679] ? default_idle+0x4c/0x370 [ 43.753695] arch_cpu_idle+0xa/0x10 [ 43.757433] default_idle_call+0x36/0x90 [ 43.761522] do_idle+0x262/0x3d0 [ 43.764878] cpu_startup_entry+0x1b/0x20 [ 43.768951] rest_init+0x1d9/0x1e2 [ 43.772485] ? trace_event_define_fields_x86_irq_vector+0x2c/0x2c [ 43.778797] start_kernel+0x6df/0x6fd [ 43.782587] ? mem_encrypt_init+0xb/0xb [ 43.786545] ? x86_family+0x32/0x40 [ 43.790154] ? load_ucode_bsp+0x1ea/0x1f6 [ 43.794284] x86_64_start_reservations+0x29/0x2b [ 43.799032] x86_64_start_kernel+0x77/0x7b [ 43.803254] secondary_startup_64+0xa5/0xb0 [ 43.807567] [ 43.809171] ================================ [ 43.813554] WARNING: inconsistent lock state [ 43.817953] 4.14.158-syzkaller #0 Tainted: G W [ 43.823752] -------------------------------- [ 43.828145] inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage. [ 43.834268] swapper/0/0 [HC0[0]:SC1[1]:HE1:SE0] takes: [ 43.839531] (&tpk_port.port_write_mutex){+.?.}, at: [] tpk_write+0x5d/0x2c0 [ 43.848287] {SOFTIRQ-ON-W} state was registered at: [ 43.853307] __lock_acquire+0xc33/0x4620 [ 43.857482] lock_acquire+0x16f/0x430 [ 43.861361] __mutex_lock+0xe8/0x1470 [ 43.865352] mutex_lock_nested+0x16/0x20 [ 43.869485] tpk_write+0x5d/0x2c0 [ 43.873004] sixpack_open+0x9b2/0xc85 [ 43.876871] tty_ldisc_open.isra.0+0x73/0xb0 [ 43.881343] tty_set_ldisc+0x29a/0x610 [ 43.885290] tty_ioctl+0x95b/0x1320 [ 43.888989] do_vfs_ioctl+0x7ae/0x1060 [ 43.892940] SyS_ioctl+0x8f/0xc0 [ 43.896369] do_syscall_64+0x1e8/0x640 [ 43.900319] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 43.905663] irq event stamp: 263882 [ 43.909262] hardirqs last enabled at (263882): [] dump_stack+0x17d/0x197 [ 43.917723] hardirqs last disabled at (263881): [] dump_stack+0xa9/0x197 [ 43.926115] softirqs last enabled at (263796): [] _local_bh_enable+0x1c/0x30 [ 43.934933] softirqs last disabled at (263797): [] irq_exit+0x160/0x1b0 [ 43.943219] [ 43.943219] other info that might help us debug this: [ 43.949856] Possible unsafe locking scenario: [ 43.949856] [ 43.955893] CPU0 [ 43.958449] ---- [ 43.961007] lock(&tpk_port.port_write_mutex); [ 43.965649] [ 43.968376] lock(&tpk_port.port_write_mutex); [ 43.973197] [ 43.973197] *** DEADLOCK *** [ 43.973197] [ 43.979239] 1 lock held by swapper/0/0: [ 43.983184] #0: ((&sp->resync_t)){+.-.}, at: [] call_timer_fn+0xc8/0x670 [ 43.991740] [ 43.991740] stack backtrace: [ 43.996299] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 4.14.158-syzkaller #0 [ 44.005196] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.014525] Call Trace: [ 44.017084] [ 44.019215] dump_stack+0x142/0x197 [ 44.022830] print_usage_bug.cold+0x330/0x42a [ 44.027301] ? save_stack_trace+0x16/0x20 [ 44.031424] mark_lock+0xdbd/0x1240 [ 44.035024] ? check_usage_backwards+0x2f0/0x2f0 [ 44.039753] __lock_acquire+0xb57/0x4620 [ 44.043790] ? is_bpf_text_address+0xa6/0x120 [ 44.048258] ? kernel_text_address+0x73/0xf0 [ 44.052654] ? trace_hardirqs_on+0x10/0x10 [ 44.056864] ? mark_held_locks+0xb1/0x100 [ 44.060988] ? dump_stack+0x17d/0x197 [ 44.064766] ? trace_hardirqs_on_caller+0x19b/0x590 [ 44.069758] ? dump_stack+0x18a/0x197 [ 44.073535] lock_acquire+0x16f/0x430 [ 44.077315] ? tpk_write+0x5d/0x2c0 [ 44.080920] ? tpk_write+0x5d/0x2c0 [ 44.084525] __mutex_lock+0xe8/0x1470 [ 44.088301] ? tpk_write+0x5d/0x2c0 [ 44.091916] ? tpk_write+0x5d/0x2c0 [ 44.095518] ? mutex_trylock+0x1c0/0x1c0 [ 44.099652] ? trace_hardirqs_on+0x10/0x10 [ 44.103864] ? debug_object_deactivate+0x1cc/0x350 [ 44.108770] ? find_held_lock+0x35/0x130 [ 44.112823] ? save_trace+0x290/0x290 [ 44.116606] mutex_lock_nested+0x16/0x20 [ 44.120652] ? mutex_lock_nested+0x16/0x20 [ 44.124871] tpk_write+0x5d/0x2c0 [ 44.128312] resync_tnc+0x1bc/0x3d0 [ 44.131918] call_timer_fn+0x161/0x670 [ 44.135779] ? sp_put+0x40/0x40 [ 44.139062] ? __next_timer_interrupt+0x140/0x140 [ 44.143902] ? trace_hardirqs_on_caller+0x19b/0x590 [ 44.148901] run_timer_softirq+0x5b7/0x1520 [ 44.153203] ? sp_put+0x40/0x40 [ 44.156459] ? add_timer+0xae0/0xae0 [ 44.160158] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 44.165588] __do_softirq+0x244/0x9a0 [ 44.169366] ? sched_clock+0x2e/0x50 [ 44.173091] irq_exit+0x160/0x1b0 [ 44.176523] smp_apic_timer_interrupt+0x146/0x5e0 [ 44.181359] apic_timer_interrupt+0x96/0xa0 [ 44.185672] [ 44.187888] RIP: 0010:native_safe_halt+0xe/0x10 [ 44.192528] RSP: 0018:ffffffff87e07de8 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff10 [ 44.200476] RAX: 1ffffffff0fe2d2c RBX: ffffffff87e76240 RCX: 0000000000000000 [ 44.207724] RDX: dffffc0000000000 RSI: 0000000000000001 RDI: ffffffff87e76abc [ 44.215000] RBP: ffffffff87e07e10 R08: 1ffffffff1164501 R09: 0000000000000000 [ 44.222430] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff87f16950 [ 44.229939] R13: 0000000000000000 R14: 0000000000000000 R15: ffffffff87e76240 [ 44.237202] ? default_idle+0x4c/0x370 [ 44.241087] arch_cpu_idle+0xa/0x10 [ 44.244693] default_idle_call+0x36/0x90 [ 44.248744] do_idle+0x262/0x3d0 [ 44.252087] cpu_startup_entry+0x1b/0x20 [ 44.256136] rest_init+0x1d9/0x1e2 [ 44.259656] ? trace_event_define_fields_x86_irq_vector+0x2c/0x2c [ 44.265879] start_kernel+0x6df/0x6fd [ 44.269653] ? mem_encrypt_init+0xb/0xb [ 44.273601] ? x86_family+0x32/0x40 [ 44.277210] ? load_ucode_bsp+0x1ea/0x1f6 [ 44.281344] x86_64_start_reservations+0x29/0x2b [ 44.286076] x86_64_start_kernel+0x77/0x7b [ 44.290296] secondary_startup_64+0xa5/0xb0 [ 44.720166] Bluetooth: hci0 command 0x1009 tx timeout [ 49.120333] kobject: 'rfkill4' (ffff88808e38ef28): kobject_uevent_env [ 49.127209] kobject: 'rfkill4' (ffff88808e38ef28): fill_kobj_path: path = '/devices/virtual/bluetooth/hci0/rfkill4' [ 49.138353] kobject: 'rfkill4' (ffff88808e38ef28): kobject_cleanup, parent (null) [ 49.146908] kobject: 'rfkill4' (ffff88808e38ef28): calling ktype release [ 49.154001] kobject: 'rfkill4': free name [ 49.158198] kobject: 'hci0' (ffff88809388a8a8): kobject_uevent_env [ 49.164595] kobject: 'hci0' (ffff88809388a8a8): fill_kobj_path: path = '/devices/virtual/bluetooth/hci0' [ 49.174386] kobject: 'bluetooth' (ffff88809b1c2200): kobject_cleanup, parent (null) [ 49.183125] kobject: 'bluetooth' (ffff88809b1c2200): calling ktype release [ 49.190240] kobject: 'bluetooth': free name [ 49.194649] kobject: 'hci0' (ffff88809388a8a8): kobject_cleanup, parent (null) [ 49.203019] kobject: 'hci0' (ffff88809388a8a8): calling ktype release [ 49.209647] kobject: 'hci0': free name [ 49.213769] [U] è`è [ 49.216299] kobject: 'rx-0' (ffff88809c329250): kobject_cleanup, parent ffff8880a1314348 [ 49.224592] kobject: 'rx-0' (ffff88809c329250): auto cleanup 'remove' event [ 49.231703] kobject: 'rx-0' (ffff88809c329250): kobject_uevent_env [ 49.238035] kobject: 'rx-0' (ffff88809c329250): fill_kobj_path: path = '/devices/virtual/net/sp0/queues/rx-0' [ 49.248204] kobject: 'rx-0' (ffff88809c329250): auto cleanup kobject_del [ 49.255091] kobject: 'rx-0' (ffff88809c329250): calling ktype release [ 49.261740] kobject: 'rx-0': free name [ 49.265633] kobject: 'tx-0' (ffff88809d8a87d8): kobject_cleanup, parent ffff8880a1314348 [ 49.273897] kobject: 'tx-0' (ffff88809d8a87d8): auto cleanup 'remove' event [ 49.281141] kobject: 'tx-0' (ffff88809d8a87d8): kobject_uevent_env [ 49.287475] kobject: 'tx-0' (ffff88809d8a87d8): fill_kobj_path: path = '/devices/virtual/net/sp0/queues/tx-0' [ 49.297635] kobject: 'tx-0' (ffff88809d8a87d8): auto cleanup kobject_del [ 49.304621] kobject: 'tx-0' (ffff88809d8a87d8): calling ktype release [ 49.311353] kobject: 'tx-0': free name [ 49.315245] kobject: 'queues' (ffff8880a1314348): kobject_cleanup, parent (null) [ 49.323677] kobject: 'queues' (ffff8880a1314348): calling ktype release [ 49.330616] kobject: 'queues' (ffff8880a1314348): kset_release [ 49.336594] kobject: 'queues': free name [ 49.340890] kobject: 'sp0' (ffff88808e2df0f0): kobject_uevent_env [ 49.347159] kobject: 'sp0' (ffff88808e2df0f0): fill_kobj_path: path = '/devices/virtual/net/sp0' [ 49.356465] kobject: 'sp0' (ffff88808e2df0f0): kobject_cleanup, parent (null) [ 49.364650] kobject: 'sp0' (ffff88808e2df0f0): calling ktype release [ 49.371402] kobject: 'sp0': free name