[ 44.836696] audit: type=1800 audit(1564333162.327:29): pid=7829 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2447 res=0 [ 44.866944] audit: type=1800 audit(1564333162.337:30): pid=7829 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2490 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.29' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 53.873510] kauditd_printk_skb: 5 callbacks suppressed [ 53.873527] audit: type=1400 audit(1564333171.367:36): avc: denied { map } for pid=8017 comm="syz-executor560" path="/root/syz-executor560448297" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 58.885187] ------------[ cut here ]------------ [ 58.891168] ODEBUG: free active (active state 0) object type: timer_list hint: rfcomm_dlc_timeout+0x0/0x80 [ 58.901160] WARNING: CPU: 0 PID: 8020 at lib/debugobjects.c:325 debug_print_object+0x168/0x250 [ 58.909956] Kernel panic - not syncing: panic_on_warn set ... [ 58.909956] [ 58.917324] CPU: 0 PID: 8020 Comm: syz-executor560 Not tainted 4.19.62 #36 [ 58.924324] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.933673] Call Trace: [ 58.936262] dump_stack+0x172/0x1f0 [ 58.939891] panic+0x263/0x507 [ 58.943077] ? __warn_printk+0xf3/0xf3 [ 58.946957] ? debug_print_object+0x168/0x250 [ 58.951452] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 58.956994] ? __warn.cold+0x5/0x4a [ 58.960617] ? __warn+0xe8/0x1d0 [ 58.963979] ? debug_print_object+0x168/0x250 [ 58.968470] __warn.cold+0x20/0x4a [ 58.972005] ? trace_hardirqs_off+0x62/0x220 [ 58.976408] ? debug_print_object+0x168/0x250 [ 58.980898] report_bug+0x263/0x2b0 [ 58.984520] do_error_trap+0x204/0x360 [ 58.988522] ? math_error+0x340/0x340 [ 58.992322] ? wake_up_klogd+0x99/0xd0 [ 58.996253] ? vprintk_emit+0x1ab/0x690 [ 59.000228] ? error_entry+0x76/0xd0 [ 59.003941] ? trace_hardirqs_off_caller+0x65/0x220 [ 59.008961] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 59.013804] do_invalid_op+0x1b/0x20 [ 59.017521] invalid_op+0x14/0x20 [ 59.021212] RIP: 0010:debug_print_object+0x168/0x250 [ 59.026321] Code: dd 20 4e 82 87 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 b5 00 00 00 48 8b 14 dd 20 4e 82 87 48 c7 c7 60 43 82 87 e8 06 2a 19 fe <0f> 0b 83 05 9b bc 17 06 01 48 83 c4 20 5b 41 5c 41 5d 41 5e 5d c3 [ 59.045412] RSP: 0018:ffff88807afff8d8 EFLAGS: 00010086 [ 59.050794] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000 [ 59.058070] RDX: 0000000000000000 RSI: ffffffff8155d376 RDI: ffffed100f5fff0d [ 59.065348] RBP: ffff88807afff918 R08: ffff8880a59da4c0 R09: ffffed1015d03ee3 [ 59.072618] R10: ffffed1015d03ee2 R11: ffff8880ae81f717 R12: 0000000000000001 [ 59.080008] R13: ffffffff887ac380 R14: ffffffff815b48d0 R15: ffff888088d3cae8 [ 59.087427] ? __internal_add_timer+0x1f0/0x1f0 [ 59.092108] ? vprintk_func+0x86/0x189 [ 59.096111] ? debug_print_object+0x168/0x250 [ 59.100604] debug_check_no_obj_freed+0x29f/0x464 [ 59.105442] kfree+0xbd/0x220 [ 59.108556] rfcomm_dlc_free+0x20/0x30 [ 59.112452] rfcomm_dev_ioctl+0x181f/0x1b60 [ 59.116777] ? __local_bh_enable_ip+0x15a/0x270 [ 59.121437] ? lock_sock_nested+0xe2/0x120 [ 59.125663] ? __local_bh_enable_ip+0x15a/0x270 [ 59.130453] ? rfcomm_dev_state_change+0x150/0x150 [ 59.135423] ? __local_bh_enable_ip+0x15a/0x270 [ 59.140102] rfcomm_sock_ioctl+0x90/0xb0 [ 59.144158] sock_do_ioctl+0xd8/0x2f0 [ 59.148045] ? compat_ifr_data_ioctl+0x160/0x160 [ 59.152797] ? kasan_check_read+0x11/0x20 [ 59.156936] ? do_raw_spin_unlock+0x57/0x270 [ 59.161337] ? do_wp_page+0x585/0x10b0 [ 59.165214] ? finish_mkwrite_fault+0x4f0/0x4f0 [ 59.169879] sock_ioctl+0x325/0x610 [ 59.173506] ? dlci_ioctl_set+0x40/0x40 [ 59.177542] ? __handle_mm_fault+0x7d1/0x3f80 [ 59.182036] ? __might_sleep+0x95/0x190 [ 59.186004] ? dlci_ioctl_set+0x40/0x40 [ 59.189973] do_vfs_ioctl+0xd5f/0x1380 [ 59.193853] ? selinux_file_ioctl+0x46f/0x5e0 [ 59.198340] ? selinux_file_ioctl+0x125/0x5e0 [ 59.202934] ? ioctl_preallocate+0x210/0x210 [ 59.207333] ? selinux_file_mprotect+0x620/0x620 [ 59.217091] ? pmd_offset+0x48/0xf0 [ 59.220717] ? __sanitizer_cov_trace_cmp8+0x1b/0x20 [ 59.225727] ? up_read+0x1a/0x110 [ 59.229209] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 59.234744] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 59.240284] ? security_file_ioctl+0x8d/0xc0 [ 59.244692] ksys_ioctl+0xab/0xd0 [ 59.248182] __x64_sys_ioctl+0x73/0xb0 [ 59.252074] do_syscall_64+0xfd/0x620 [ 59.255893] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 59.261169] RIP: 0033:0x441229 [ 59.264357] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 59.283250] RSP: 002b:00007ffefc0f3308 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 59.290990] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441229 [ 59.298267] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000003 [ 59.305536] RBP: 000000000000e5ec R08: 00000000004002c8 R09: 00000000004002c8 [ 59.312853] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402050 [ 59.320120] R13: 00000000004020e0 R14: 0000000000000000 R15: 0000000000000000 [ 59.327943] [ 59.327947] ====================================================== [ 59.327950] WARNING: possible circular locking dependency detected [ 59.327953] 4.19.62 #36 Not tainted [ 59.327956] ------------------------------------------------------ [ 59.327959] syz-executor560/8020 is trying to acquire lock: [ 59.327961] 00000000a0134a20 (console_owner){-...}, at: console_unlock+0x41f/0x10b0 [ 59.327969] [ 59.327972] but task is already holding lock: [ 59.327974] 00000000594c3ce4 (&obj_hash[i].lock){-.-.}, at: debug_check_no_obj_freed+0xbe/0x464 [ 59.327982] [ 59.327985] which lock already depends on the new lock. [ 59.327986] [ 59.327988] [ 59.327991] the existing dependency chain (in reverse order) is: [ 59.327993] [ 59.327996] -> #3 (&obj_hash[i].lock){-.-.}: [ 59.328010] _raw_spin_lock_irqsave+0x95/0xcd [ 59.328014] debug_object_activate+0x131/0x4e0 [ 59.328018] __queue_work+0xcf/0x10a0 [ 59.328022] queue_work_on+0x192/0x200 [ 59.328026] tty_flip_buffer_push+0xc5/0x100 [ 59.328029] pty_write+0x1a6/0x200 [ 59.328033] n_tty_write+0xafa/0x10f0 [ 59.328037] tty_write+0x458/0x7a0 [ 59.328040] __vfs_write+0x114/0x810 [ 59.328044] vfs_write+0x20c/0x560 [ 59.328048] ksys_write+0x14f/0x2d0 [ 59.328051] __x64_sys_write+0x73/0xb0 [ 59.328055] do_syscall_64+0xfd/0x620 [ 59.328061] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 59.328063] [ 59.328065] -> #2 (&(&port->lock)->rlock){-.-.}: [ 59.328081] _raw_spin_lock_irqsave+0x95/0xcd [ 59.328085] tty_port_tty_get+0x22/0x80 [ 59.328101] tty_port_default_wakeup+0x16/0x40 [ 59.328134] tty_port_tty_wakeup+0x57/0x70 [ 59.328137] uart_write_wakeup+0x46/0x70 [ 59.328139] serial8250_tx_chars+0x495/0xaf0 [ 59.328142] serial8250_handle_irq.part.0+0x1f4/0x260 [ 59.328145] serial8250_default_handle_irq+0xc0/0x150 [ 59.328147] serial8250_interrupt+0xfc/0x1e0 [ 59.328150] __handle_irq_event_percpu+0x144/0x8f0 [ 59.328152] handle_irq_event_percpu+0x74/0x160 [ 59.328155] handle_irq_event+0xa7/0x134 [ 59.328157] handle_edge_irq+0x25e/0x8d0 [ 59.328159] handle_irq+0x39/0x50 [ 59.328161] do_IRQ+0x99/0x1d0 [ 59.328163] ret_from_intr+0x0/0x1e [ 59.328166] _raw_spin_unlock_irqrestore+0x95/0xe0 [ 59.328168] uart_write+0x3a9/0x6e0 [ 59.328170] n_tty_write+0x3f9/0x10f0 [ 59.328172] tty_write+0x458/0x7a0 [ 59.328175] redirected_tty_write+0xb2/0xc0 [ 59.328177] __vfs_write+0x114/0x810 [ 59.328179] vfs_write+0x20c/0x560 [ 59.328181] ksys_write+0x14f/0x2d0 [ 59.328183] __x64_sys_write+0x73/0xb0 [ 59.328186] do_syscall_64+0xfd/0x620 [ 59.328188] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 59.328189] [ 59.328191] -> #1 (&port_lock_key){-.-.}: [ 59.328199] _raw_spin_lock_irqsave+0x95/0xcd [ 59.328202] serial8250_console_write+0x7ca/0x9f0 [ 59.328204] univ8250_console_write+0x5f/0x70 [ 59.328206] console_unlock+0xbde/0x10b0 [ 59.328209] vprintk_emit+0x238/0x690 [ 59.328211] vprintk_default+0x28/0x30 [ 59.328213] vprintk_func+0x7e/0x189 [ 59.328215] printk+0xba/0xed [ 59.328217] register_console+0x77f/0xb90 [ 59.328219] univ8250_console_init+0x3e/0x4b [ 59.328221] console_init+0x4f7/0x761 [ 59.328224] start_kernel+0x59c/0x8c5 [ 59.328226] x86_64_start_reservations+0x29/0x2b [ 59.328228] x86_64_start_kernel+0x77/0x7b [ 59.328231] secondary_startup_64+0xa4/0xb0 [ 59.328232] [ 59.328234] -> #0 (console_owner){-...}: [ 59.328241] lock_acquire+0x16f/0x3f0 [ 59.328244] console_unlock+0x489/0x10b0 [ 59.328246] vprintk_emit+0x238/0x690 [ 59.328248] vprintk_default+0x28/0x30 [ 59.328250] vprintk_func+0x7e/0x189 [ 59.328252] printk+0xba/0xed [ 59.328254] __warn_printk+0x9b/0xf3 [ 59.328256] debug_print_object+0x168/0x250 [ 59.328259] debug_check_no_obj_freed+0x29f/0x464 [ 59.328261] kfree+0xbd/0x220 [ 59.328263] rfcomm_dlc_free+0x20/0x30 [ 59.328265] rfcomm_dev_ioctl+0x181f/0x1b60 [ 59.328267] rfcomm_sock_ioctl+0x90/0xb0 [ 59.328269] sock_do_ioctl+0xd8/0x2f0 [ 59.328272] sock_ioctl+0x325/0x610 [ 59.328274] do_vfs_ioctl+0xd5f/0x1380 [ 59.328276] ksys_ioctl+0xab/0xd0 [ 59.328278] __x64_sys_ioctl+0x73/0xb0 [ 59.328280] do_syscall_64+0xfd/0x620 [ 59.328283] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 59.328284] [ 59.328286] other info that might help us debug this: [ 59.328288] [ 59.328289] Chain exists of: [ 59.328290] console_owner --> &(&port->lock)->rlock --> &obj_hash[i].lock [ 59.328301] [ 59.328303] Possible unsafe locking scenario: [ 59.328304] [ 59.328306] CPU0 CPU1 [ 59.328309] ---- ---- [ 59.328310] lock(&obj_hash[i].lock); [ 59.328315] lock(&(&port->lock)->rlock); [ 59.328320] lock(&obj_hash[i].lock); [ 59.328325] lock(console_owner); [ 59.328329] [ 59.328331] *** DEADLOCK *** [ 59.328332] [ 59.328334] 4 locks held by syz-executor560/8020: [ 59.328336] #0: 000000001cb7f8a1 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}, at: rfcomm_sock_ioctl+0x82/0xb0 [ 59.328346] #1: 00000000b25cbed8 (rfcomm_ioctl_mutex){+.+.}, at: rfcomm_dev_ioctl+0x4f0/0x1b60 [ 59.328355] #2: 00000000594c3ce4 (&obj_hash[i].lock){-.-.}, at: debug_check_no_obj_freed+0xbe/0x464 [ 59.328365] #3: 00000000a95943b4 (console_lock){+.+.}, at: vprintk_emit+0x21d/0x690 [ 59.328374] [ 59.328376] stack backtrace: [ 59.328379] CPU: 0 PID: 8020 Comm: syz-executor560 Not tainted 4.19.62 #36 [ 59.328383] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.328385] Call Trace: [ 59.328387] dump_stack+0x172/0x1f0 [ 59.328389] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 59.328392] __lock_acquire+0x2e19/0x49c0 [ 59.328394] ? mark_held_locks+0x100/0x100 [ 59.328396] ? sprintf+0xc0/0x100 [ 59.328398] ? console_unlock+0x464/0x10b0 [ 59.328400] ? console_unlock+0x464/0x10b0 [ 59.328403] lock_acquire+0x16f/0x3f0 [ 59.328405] ? console_unlock+0x41f/0x10b0 [ 59.328407] console_unlock+0x489/0x10b0 [ 59.328409] ? console_unlock+0x41f/0x10b0 [ 59.328412] vprintk_emit+0x238/0x690 [ 59.328414] ? __internal_add_timer+0x1f0/0x1f0 [ 59.328416] vprintk_default+0x28/0x30 [ 59.328418] vprintk_func+0x7e/0x189 [ 59.328420] printk+0xba/0xed [ 59.328422] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 59.328425] ? __warn_printk+0x8f/0xf3 [ 59.328427] ? rfcomm_session_add+0x300/0x300 [ 59.328429] __warn_printk+0x9b/0xf3 [ 59.328431] ? add_taint.cold+0x16/0x16 [ 59.328433] ? skb_dequeue+0x12e/0x180 [ 59.328436] ? rfcomm_session_add+0x300/0x300 [ 59.328438] debug_print_object+0x168/0x250 [ 59.328440] debug_check_no_obj_freed+0x29f/0x464 [ 59.328442] kfree+0xbd/0x220 [ 59.328444] rfcomm_dlc_free+0x20/0x30 [ 59.328447] rfcomm_dev_ioctl+0x181f/0x1b60 [ 59.328449] ? __local_bh_enable_ip+0x15a/0x270 [ 59.328451] ? lock_sock_nested+0xe2/0x120 [ 59.328454] ? __local_bh_enable_ip+0x15a/0x270 [ 59.328456] ? rfcomm_dev_state_change+0x150/0x150 [ 59.328458] ? __local_bh_enable_ip+0x15a/0x270 [ 59.328461] rfcomm_sock_ioctl+0x90/0xb0 [ 59.328463] sock_do_ioctl+0xd8/0x2f0 [ 59.328465] ? compat_ifr_data_ioctl+0x160/0x160 [ 59.328467] ? kasan_check_read+0x11/0x20 [ 59.328470] ? do_raw_spin_unlock+0x57/0x270 [ 59.328472] ? do_wp_page+0x585/0x10b0 [ 59.328474] ? finish_mkwrite_fault+0x4f0/0x4f0 [ 59.328476] sock_ioctl+0x325/0x610 [ 59.328478] ? dlci_ioctl_set+0x40/0x40 [ 59.328481] ? __handle_mm_fault+0x7d1/0x3f80 [ 59.328483] ? __might_sleep+0x95/0x190 [ 59.328485] ? dlci_ioctl_set+0x40/0x40 [ 59.328487] do_vfs_ioctl+0xd5f/0x1380 [ 59.328489] ? selinux_file_ioctl+0x46f/0x5e0 [ 59.328492] ? selinux_file_ioctl+0x125/0x5e0 [ 59.328494] ? ioctl_preallocate+0x210/0x210 [ 59.328496] ? selinux_file_mprotect+0x620/0x620 [ 59.328498] ? pmd_offset+0x48/0xf0 [ 59.328501] ? __sanitizer_cov_trace_cmp8+0x1b/0x20 [ 59.328503] ? up_read+0x1a/0x110 [ 59.328505] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 59.328508] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 59.328511] ? security_file_ioctl+0x8d/0xc0 [ 59.328513] ksys_ioctl+0xab/0xd0 [ 59.328515] __x64_sys_ioctl+0x73/0xb0 [ 59.328517] do_syscall_64+0xfd/0x620 [ 59.328519] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 59.328521] RIP: 0033:0x441229 [ 59.328529] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 59.328532] RSP: 002b:00007ffefc0f3308 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 59.328538] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441229 [ 59.328541] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000003 [ 59.328544] RBP: 000000000000e5ec R08: 00000000004002c8 R09: 00000000004002c8 [ 59.328548] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402050 [ 59.328551] R13: 00000000004020e0 R14: 0000000000000000 R15: 0000000000000000 [ 59.329626] Kernel Offset: disabled [ 60.220600] Rebooting in 86400 seconds..