[ 33.792831] audit: type=1800 audit(1572788963.710:33): pid=6931 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 33.816648] audit: type=1800 audit(1572788963.710:34): pid=6931 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 38.872008] random: sshd: uninitialized urandom read (32 bytes read) [ 39.374445] audit: type=1400 audit(1572788969.290:35): avc: denied { map } for pid=7102 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 39.426456] random: sshd: uninitialized urandom read (32 bytes read) [ 40.004458] random: sshd: uninitialized urandom read (32 bytes read) [ 40.197318] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.24' (ECDSA) to the list of known hosts. [ 45.788042] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 45.905254] audit: type=1400 audit(1572788975.820:36): avc: denied { map } for pid=7115 comm="syz-executor545" path="/root/syz-executor545430986" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 50.916496] ODEBUG: free active (active state 0) object type: timer_list hint: rfcomm_dlc_timeout+0x0/0x60 [ 50.927307] ------------[ cut here ]------------ [ 50.932127] WARNING: CPU: 0 PID: 7118 at lib/debugobjects.c:287 debug_print_object.cold+0xa7/0xdb [ 50.941133] Kernel panic - not syncing: panic_on_warn set ... [ 50.941133] [ 50.948493] CPU: 0 PID: 7118 Comm: syz-executor545 Not tainted 4.14.151 #0 [ 50.955585] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 50.964923] Call Trace: [ 50.967609] dump_stack+0x138/0x197 [ 50.971224] panic+0x1f9/0x42d [ 50.974410] ? add_taint.cold+0x16/0x16 [ 50.978367] ? debug_print_object.cold+0xa7/0xdb [ 50.983120] ? debug_print_object.cold+0xa7/0xdb [ 50.987947] __warn.cold+0x2f/0x2f [ 50.991482] ? ist_end_non_atomic+0x10/0x10 [ 50.995796] ? debug_print_object.cold+0xa7/0xdb [ 51.000550] report_bug+0x216/0x254 [ 51.004161] do_error_trap+0x1bb/0x310 [ 51.008038] ? math_error+0x360/0x360 [ 51.011865] ? vprintk_emit+0x171/0x600 [ 51.015851] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 51.020679] do_invalid_op+0x1b/0x20 [ 51.024375] invalid_op+0x1b/0x40 [ 51.027824] RIP: 0010:debug_print_object.cold+0xa7/0xdb [ 51.033206] RSP: 0018:ffff8880a911faa8 EFLAGS: 00010086 [ 51.038572] RAX: 000000000000005e RBX: 0000000000000003 RCX: 0000000000000000 [ 51.045884] RDX: 0000000000000000 RSI: ffffffff866d1160 RDI: ffffed1015223f4b [ 51.053150] RBP: ffff8880a911fad0 R08: 000000000000005e R09: 0000000000000000 [ 51.060404] R10: 0000000000000000 R11: ffff888092b0e040 R12: ffffffff866cc360 [ 51.067653] R13: ffffffff8582ec90 R14: 0000000000000000 R15: ffff8880a96aeb28 [ 51.075144] ? rfcomm_session_add+0x340/0x340 [ 51.079640] ? debug_print_object.cold+0xa7/0xdb [ 51.084448] debug_check_no_obj_freed+0x3f5/0x7b7 [ 51.089284] ? free_obj_work+0x6d0/0x6d0 [ 51.093343] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 51.098908] kfree+0xbd/0x270 [ 51.102000] rfcomm_dlc_free+0x20/0x30 [ 51.106221] rfcomm_dev_ioctl+0x1590/0x18b0 [ 51.110547] ? mark_held_locks+0xb1/0x100 [ 51.114679] ? __local_bh_enable_ip+0x99/0x1a0 [ 51.119258] ? rfcomm_dev_state_change+0x130/0x130 [ 51.124203] ? __local_bh_enable_ip+0x99/0x1a0 [ 51.128970] rfcomm_sock_ioctl+0x82/0xa0 [ 51.133138] sock_do_ioctl+0x64/0xb0 [ 51.136857] sock_ioctl+0x2a6/0x470 [ 51.140511] ? dlci_ioctl_set+0x40/0x40 [ 51.144481] do_vfs_ioctl+0x7ae/0x1060 [ 51.148357] ? selinux_file_mprotect+0x5d0/0x5d0 [ 51.153098] ? ioctl_preallocate+0x1c0/0x1c0 [ 51.157500] ? fd_install+0x4d/0x60 [ 51.161112] ? security_file_ioctl+0x7d/0xb0 [ 51.165504] ? security_file_ioctl+0x89/0xb0 [ 51.169894] SyS_ioctl+0x8f/0xc0 [ 51.173257] ? do_vfs_ioctl+0x1060/0x1060 [ 51.177389] do_syscall_64+0x1e8/0x640 [ 51.181271] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 51.186098] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 51.191287] RIP: 0033:0x441229 [ 51.194477] RSP: 002b:00007ffd523e9b28 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 51.202488] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441229 [ 51.209875] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000004 [ 51.217132] RBP: 000000000000c6de R08: 00000000004002c8 R09: 00000000004002c8 [ 51.224403] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402050 [ 51.231675] R13: 00000000004020e0 R14: 0000000000000000 R15: 0000000000000000 [ 51.238969] [ 51.238971] ====================================================== [ 51.238972] WARNING: possible circular locking dependency detected [ 51.238974] 4.14.151 #0 Not tainted [ 51.238975] ------------------------------------------------------ [ 51.238976] syz-executor545/7118 is trying to acquire lock: [ 51.238978] ((console_sem).lock){-...}, at: [] down_trylock+0x13/0x70 [ 51.238982] [ 51.238983] but task is already holding lock: [ 51.238984] (&obj_hash[i].lock){-.-.}, at: [] debug_check_no_obj_freed+0x12d/0x7b7 [ 51.238988] [ 51.238990] which lock already depends on the new lock. [ 51.238990] [ 51.238991] [ 51.238992] the existing dependency chain (in reverse order) is: [ 51.238993] [ 51.238994] -> #3 (&obj_hash[i].lock){-.-.}: [ 51.238998] lock_acquire+0x16f/0x430 [ 51.239000] _raw_spin_lock_irqsave+0x95/0xcd [ 51.239001] __debug_object_init+0xa9/0x8e0 [ 51.239002] debug_object_init+0x16/0x20 [ 51.239003] hrtimer_init+0x2a/0x2e0 [ 51.239004] init_dl_task_timer+0x1b/0x50 [ 51.239005] __sched_fork+0x222/0xab0 [ 51.239006] init_idle+0x75/0x800 [ 51.239008] sched_init+0xaa1/0xbb3 [ 51.239009] start_kernel+0x339/0x6fd [ 51.239010] x86_64_start_reservations+0x29/0x2b [ 51.239011] x86_64_start_kernel+0x77/0x7b [ 51.239012] secondary_startup_64+0xa5/0xb0 [ 51.239013] [ 51.239014] -> #2 (&rq->lock){-.-.}: [ 51.239018] lock_acquire+0x16f/0x430 [ 51.239019] _raw_spin_lock+0x2f/0x40 [ 51.239020] task_fork_fair+0x63/0x5b0 [ 51.239022] sched_fork+0x3a6/0xc10 [ 51.239023] copy_process.part.0+0x15b7/0x6a00 [ 51.239024] _do_fork+0x19e/0xce0 [ 51.239025] kernel_thread+0x34/0x40 [ 51.239026] rest_init+0x24/0x1e2 [ 51.239027] start_kernel+0x6df/0x6fd [ 51.239029] x86_64_start_reservations+0x29/0x2b [ 51.239030] x86_64_start_kernel+0x77/0x7b [ 51.239031] secondary_startup_64+0xa5/0xb0 [ 51.239032] [ 51.239032] -> #1 (&p->pi_lock){-.-.}: [ 51.239036] lock_acquire+0x16f/0x430 [ 51.239037] _raw_spin_lock_irqsave+0x95/0xcd [ 51.239039] try_to_wake_up+0x79/0xf90 [ 51.239040] wake_up_process+0x10/0x20 [ 51.239041] __up.isra.0+0x136/0x1a0 [ 51.239042] up+0x9c/0xe0 [ 51.239043] __up_console_sem+0xad/0x1b0 [ 51.239044] console_unlock+0x59d/0xed0 [ 51.239045] vprintk_emit+0x1f9/0x600 [ 51.239046] vprintk_default+0x28/0x30 [ 51.239048] vprintk_func+0x5d/0x159 [ 51.239049] printk+0x9e/0xbc [ 51.239050] kauditd_hold_skb.cold+0x3e/0x4d [ 51.239051] kauditd_send_queue+0xfc/0x140 [ 51.239052] kauditd_thread+0x644/0x860 [ 51.239053] kthread+0x319/0x430 [ 51.239054] ret_from_fork+0x24/0x30 [ 51.239055] [ 51.239056] -> #0 ((console_sem).lock){-...}: [ 51.239060] __lock_acquire+0x2cb3/0x4620 [ 51.239061] lock_acquire+0x16f/0x430 [ 51.239062] _raw_spin_lock_irqsave+0x95/0xcd [ 51.239063] down_trylock+0x13/0x70 [ 51.239065] __down_trylock_console_sem+0x9c/0x200 [ 51.239066] console_trylock+0x17/0x80 [ 51.239067] vprintk_emit+0x1eb/0x600 [ 51.239068] vprintk_default+0x28/0x30 [ 51.239069] vprintk_func+0x5d/0x159 [ 51.239070] printk+0x9e/0xbc [ 51.239072] debug_print_object.cold+0xa7/0xdb [ 51.239073] debug_check_no_obj_freed+0x3f5/0x7b7 [ 51.239074] kfree+0xbd/0x270 [ 51.239075] rfcomm_dlc_free+0x20/0x30 [ 51.239076] rfcomm_dev_ioctl+0x1590/0x18b0 [ 51.239077] rfcomm_sock_ioctl+0x82/0xa0 [ 51.239078] sock_do_ioctl+0x64/0xb0 [ 51.239080] sock_ioctl+0x2a6/0x470 [ 51.239081] do_vfs_ioctl+0x7ae/0x1060 [ 51.239082] SyS_ioctl+0x8f/0xc0 [ 51.239083] do_syscall_64+0x1e8/0x640 [ 51.239084] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 51.239085] [ 51.239086] other info that might help us debug this: [ 51.239087] [ 51.239088] Chain exists of: [ 51.239097] (console_sem).lock --> &rq->lock --> &obj_hash[i].lock [ 51.239102] [ 51.239104] Possible unsafe locking scenario: [ 51.239104] [ 51.239105] CPU0 CPU1 [ 51.239109] ---- ---- [ 51.239110] lock(&obj_hash[i].lock); [ 51.239113] lock(&rq->lock); [ 51.239116] lock(&obj_hash[i].lock); [ 51.239118] lock((console_sem).lock); [ 51.239120] [ 51.239121] *** DEADLOCK *** [ 51.239122] [ 51.239123] 3 locks held by syz-executor545/7118: [ 51.239124] #0: (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}, at: [] rfcomm_sock_ioctl+0x74/0xa0 [ 51.239128] #1: (rfcomm_ioctl_mutex){+.+.}, at: [] rfcomm_dev_ioctl+0x442/0x18b0 [ 51.239133] #2: (&obj_hash[i].lock){-.-.}, at: [] debug_check_no_obj_freed+0x12d/0x7b7 [ 51.239137] [ 51.239138] stack backtrace: [ 51.239140] CPU: 0 PID: 7118 Comm: syz-executor545 Not tainted 4.14.151 #0 [ 51.239142] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.239143] Call Trace: [ 51.239144] dump_stack+0x138/0x197 [ 51.239145] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 51.239147] __lock_acquire+0x2cb3/0x4620 [ 51.239148] ? add_lock_to_list.isra.0+0x17c/0x330 [ 51.239149] ? trace_hardirqs_on+0x10/0x10 [ 51.239150] ? netdev_bits+0xb0/0xb0 [ 51.239152] ? save_trace+0x290/0x290 [ 51.239153] ? kvm_clock_read+0x23/0x40 [ 51.239154] ? kvm_sched_clock_read+0x9/0x20 [ 51.239155] lock_acquire+0x16f/0x430 [ 51.239156] ? down_trylock+0x13/0x70 [ 51.239157] ? vprintk_emit+0x109/0x600 [ 51.239159] _raw_spin_lock_irqsave+0x95/0xcd [ 51.239160] ? down_trylock+0x13/0x70 [ 51.239161] ? vprintk_emit+0x1eb/0x600 [ 51.239162] down_trylock+0x13/0x70 [ 51.239163] ? vprintk_emit+0x1eb/0x600 [ 51.239164] __down_trylock_console_sem+0x9c/0x200 [ 51.239165] console_trylock+0x17/0x80 [ 51.239166] vprintk_emit+0x1eb/0x600 [ 51.239167] vprintk_default+0x28/0x30 [ 51.239168] vprintk_func+0x5d/0x159 [ 51.239169] ? rfcomm_session_add+0x340/0x340 [ 51.239170] printk+0x9e/0xbc [ 51.239171] ? show_regs_print_info+0x63/0x63 [ 51.239172] ? lock_acquire+0x16f/0x430 [ 51.239174] ? debug_check_no_obj_freed+0x12d/0x7b7 [ 51.239175] ? rfcomm_session_add+0x340/0x340 [ 51.239176] debug_print_object.cold+0xa7/0xdb [ 51.239177] debug_check_no_obj_freed+0x3f5/0x7b7 [ 51.239178] ? free_obj_work+0x6d0/0x6d0 [ 51.239180] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 51.239181] kfree+0xbd/0x270 [ 51.239182] rfcomm_dlc_free+0x20/0x30 [ 51.239183] rfcomm_dev_ioctl+0x1590/0x18b0 [ 51.239184] ? mark_held_locks+0xb1/0x100 [ 51.239185] ? __local_bh_enable_ip+0x99/0x1a0 [ 51.239186] ? rfcomm_dev_state_change+0x130/0x130 [ 51.239187] ? __local_bh_enable_ip+0x99/0x1a0 [ 51.239188] rfcomm_sock_ioctl+0x82/0xa0 [ 51.239189] sock_do_ioctl+0x64/0xb0 [ 51.239190] sock_ioctl+0x2a6/0x470 [ 51.239192] ? dlci_ioctl_set+0x40/0x40 [ 51.239193] do_vfs_ioctl+0x7ae/0x1060 [ 51.239194] ? selinux_file_mprotect+0x5d0/0x5d0 [ 51.239195] ? ioctl_preallocate+0x1c0/0x1c0 [ 51.239196] ? fd_install+0x4d/0x60 [ 51.239197] ? security_file_ioctl+0x7d/0xb0 [ 51.239198] ? security_file_ioctl+0x89/0xb0 [ 51.239199] SyS_ioctl+0x8f/0xc0 [ 51.239201] ? do_vfs_ioctl+0x1060/0x1060 [ 51.239202] do_syscall_64+0x1e8/0x640 [ 51.239203] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 51.239204] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 51.239205] RIP: 0033:0x441229 [ 51.239206] RSP: 002b:00007ffd523e9b28 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 51.239209] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441229 [ 51.239211] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000004 [ 51.239212] RBP: 000000000000c6de R08: 00000000004002c8 R09: 00000000004002c8 [ 51.239214] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402050 [ 51.239215] R13: 00000000004020e0 R14: 0000000000000000 R15: 0000000000000000 [ 51.241113] Kernel Offset: disabled [ 52.019027] Rebooting in 86400 seconds..