[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 22.906784] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 24.897794] random: sshd: uninitialized urandom read (32 bytes read) [ 25.245645] random: sshd: uninitialized urandom read (32 bytes read) [ 25.793786] random: sshd: uninitialized urandom read (32 bytes read) [ 33.059458] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.29' (ECDSA) to the list of known hosts. [ 38.774338] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 38.869339] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html for details. [ 38.891955] ================================================================== [ 38.900680] BUG: KASAN: use-after-free in __schedule+0xf54/0x1df0 [ 38.906897] Read of size 8 at addr ffff8801ac160058 by task syz-executor520/4456 [ 38.914458] [ 38.916080] CPU: 1 PID: 4456 Comm: syz-executor520 Not tainted 4.18.0+ #208 [ 38.923163] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.932543] Call Trace: [ 38.935126] dump_stack+0x1c9/0x2b4 [ 38.938739] ? dump_stack_print_info.cold.2+0x52/0x52 [ 38.943912] ? printk+0xa7/0xcf [ 38.947278] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 38.952041] ? __schedule+0xf54/0x1df0 [ 38.955929] print_address_description+0x6c/0x20b [ 38.960801] ? __schedule+0xf54/0x1df0 [ 38.964677] kasan_report.cold.7+0x242/0x30d [ 38.969080] __asan_report_load8_noabort+0x14/0x20 [ 38.973987] __schedule+0xf54/0x1df0 [ 38.977786] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 38.982882] ? __sched_text_start+0x8/0x8 [ 38.987024] ? __call_srcu+0x7e7/0x1040 [ 38.990989] ? check_same_owner+0x340/0x340 [ 38.995303] ? mark_held_locks+0x160/0x160 [ 38.999539] ? find_held_lock+0x36/0x1c0 [ 39.003589] preempt_schedule_common+0x22/0x60 [ 39.008153] _cond_resched+0x1d/0x30 [ 39.011949] wait_for_completion+0xa5/0x8d0 [ 39.016264] ? wait_for_completion_interruptible+0x950/0x950 [ 39.022042] ? __lockdep_init_map+0x105/0x590 [ 39.026523] ? __init_waitqueue_head+0x9e/0x150 [ 39.031175] ? init_wait_entry+0x1c0/0x1c0 [ 39.035449] __synchronize_srcu+0x189/0x240 [ 39.039807] ? call_srcu+0x10/0x10 [ 39.043336] ? rcu_unexpedite_gp+0x20/0x20 [ 39.047600] synchronize_srcu+0x335/0x56f [ 39.051738] ? lock_downgrade+0x8f0/0x8f0 [ 39.055868] ? synchronize_srcu_expedited+0x20/0x20 [ 39.060992] ? kasan_check_read+0x11/0x20 [ 39.065138] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 39.069712] ? kasan_check_write+0x14/0x20 [ 39.073934] ? do_raw_spin_lock+0xc1/0x200 [ 39.078159] kvm_page_track_unregister_notifier+0x17d/0x250 [ 39.083854] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 39.089286] ? kvfree+0x61/0x70 [ 39.092553] ? rcu_read_lock_sched_held+0x108/0x120 [ 39.097600] kvm_mmu_uninit_vm+0x1c/0x20 [ 39.101653] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 39.106049] ? kvm_arch_sync_events+0x30/0x30 [ 39.110539] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 39.116065] ? mmu_notifier_unregister+0x474/0x600 [ 39.120982] ? trace_hardirqs_on+0x2c0/0x2c0 [ 39.125374] ? kfree+0x111/0x210 [ 39.128721] ? __mmu_notifier_register+0x30/0x30 [ 39.133527] ? __free_pages+0x10a/0x190 [ 39.137487] ? free_unref_page+0x930/0x930 [ 39.141710] kvm_put_kvm+0x73f/0x1060 [ 39.145492] ? kvm_write_guest_cached+0x40/0x40 [ 39.150166] ? _raw_spin_unlock_irq+0x27/0x70 [ 39.154642] ? _raw_spin_unlock_irq+0x27/0x70 [ 39.159176] ? lockdep_hardirqs_on+0x421/0x5c0 [ 39.163830] ? kasan_check_write+0x14/0x20 [ 39.168055] ? do_raw_spin_lock+0xc1/0x200 [ 39.172270] ? kvm_irqfd_release+0xdd/0x120 [ 39.176571] ? kvm_irqfd_release+0xdd/0x120 [ 39.180872] ? kvm_put_kvm+0x1060/0x1060 [ 39.184921] kvm_vm_release+0x42/0x50 [ 39.188701] __fput+0x36e/0x8c0 [ 39.191962] ? __alloc_file+0x400/0x400 [ 39.195920] ? check_same_owner+0x340/0x340 [ 39.200295] ? kasan_check_write+0x14/0x20 [ 39.204522] ? do_raw_spin_lock+0xc1/0x200 [ 39.208741] ____fput+0x15/0x20 [ 39.212003] task_work_run+0x1e8/0x2a0 [ 39.215922] ? task_work_cancel+0x240/0x240 [ 39.220239] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 39.225759] ? switch_task_namespaces+0xa2/0xd0 [ 39.230411] do_exit+0x1ae4/0x26e0 [ 39.233941] ? mm_update_next_owner+0x9a0/0x9a0 [ 39.238596] ? kvm_vcpu_ioctl+0x2b5/0x1280 [ 39.242924] ? rcu_read_lock_sched_held+0x108/0x120 [ 39.248032] ? kfree+0x1d7/0x210 [ 39.251382] ? kvm_vcpu_ioctl+0x2ba/0x1280 [ 39.255714] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 39.261455] ? is_bpf_text_address+0xd7/0x170 [ 39.265941] ? kernel_text_address+0x79/0xf0 [ 39.270443] ? __kernel_text_address+0xd/0x40 [ 39.274921] ? unwind_get_return_address+0x61/0xa0 [ 39.279830] ? __save_stack_trace+0x8d/0xf0 [ 39.284306] ? save_stack+0xa9/0xd0 [ 39.287927] ? save_stack+0x43/0xd0 [ 39.291533] ? __kasan_slab_free+0x11a/0x170 [ 39.295921] ? kasan_slab_free+0xe/0x10 [ 39.299872] ? putname+0xf2/0x130 [ 39.303312] ? __x64_sys_openat+0x9d/0x100 [ 39.307648] ? do_syscall_64+0x1b9/0x820 [ 39.311698] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.317061] ? trace_hardirqs_off+0xb8/0x2b0 [ 39.321449] ? kasan_check_read+0x11/0x20 [ 39.325580] ? do_raw_spin_unlock+0xa7/0x2f0 [ 39.330070] ? trace_hardirqs_on+0x2c0/0x2c0 [ 39.334468] ? initcall_blacklisted+0x9a/0x1e0 [ 39.339041] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 39.344234] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 39.350000] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 39.355529] ? do_vfs_ioctl+0x201/0x1720 [ 39.359620] ? rcu_is_watching+0x8c/0x150 [ 39.363754] ? trace_hardirqs_on+0xbd/0x2c0 [ 39.368064] ? ioctl_preallocate+0x300/0x300 [ 39.372478] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 39.378039] ? __fget_light+0x2f7/0x440 [ 39.381998] ? fget_raw+0x20/0x20 [ 39.385442] ? putname+0xf2/0x130 [ 39.388881] ? rcu_read_lock_sched_held+0x108/0x120 [ 39.393884] ? kmem_cache_free+0x246/0x280 [ 39.398101] ? putname+0xf7/0x130 [ 39.401542] do_group_exit+0x177/0x440 [ 39.405414] ? trace_hardirqs_on+0xbd/0x2c0 [ 39.409723] ? __ia32_sys_exit+0x50/0x50 [ 39.413770] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 39.418857] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 39.424379] ? ksys_ioctl+0x81/0xd0 [ 39.427995] __x64_sys_exit_group+0x3e/0x50 [ 39.432298] do_syscall_64+0x1b9/0x820 [ 39.436173] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 39.441537] ? syscall_return_slowpath+0x5e0/0x5e0 [ 39.446509] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 39.451337] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 39.456383] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 39.461399] ? prepare_exit_to_usermode+0x291/0x3b0 [ 39.466409] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 39.471248] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.476462] RIP: 0033:0x43ecf8 [ 39.479686] Code: Bad RIP value. [ 39.483044] RSP: 002b:00007ffec0ee80b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 39.490736] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ecf8 [ 39.497990] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 39.505251] RBP: 00000000004be5a8 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 39.512508] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 39.519764] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 39.527119] [ 39.528779] Allocated by task 4456: [ 39.532399] save_stack+0x43/0xd0 [ 39.535833] kasan_kmalloc+0xc4/0xe0 [ 39.539526] kasan_slab_alloc+0x12/0x20 [ 39.543479] kmem_cache_alloc+0x12e/0x710 [ 39.547613] vmx_create_vcpu+0xcf/0x2830 [ 39.551711] kvm_arch_vcpu_create+0xe5/0x220 [ 39.556100] kvm_vm_ioctl+0x488/0x1d80 [ 39.559970] do_vfs_ioctl+0x1de/0x1720 [ 39.563838] ksys_ioctl+0xa9/0xd0 [ 39.567277] __x64_sys_ioctl+0x73/0xb0 [ 39.571200] do_syscall_64+0x1b9/0x820 [ 39.575077] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.580239] [ 39.581909] Freed by task 4456: [ 39.586273] save_stack+0x43/0xd0 [ 39.589715] __kasan_slab_free+0x11a/0x170 [ 39.593933] kasan_slab_free+0xe/0x10 [ 39.597718] kmem_cache_free+0x86/0x280 [ 39.601670] vmx_free_vcpu+0x26b/0x300 [ 39.605535] kvm_arch_destroy_vm+0x365/0x7c0 [ 39.609923] kvm_put_kvm+0x73f/0x1060 [ 39.613702] kvm_vm_release+0x42/0x50 [ 39.617484] __fput+0x36e/0x8c0 [ 39.620741] ____fput+0x15/0x20 [ 39.623999] task_work_run+0x1e8/0x2a0 [ 39.627872] do_exit+0x1ae4/0x26e0 [ 39.631395] do_group_exit+0x177/0x440 [ 39.635262] __x64_sys_exit_group+0x3e/0x50 [ 39.639564] do_syscall_64+0x1b9/0x820 [ 39.643433] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.648600] [ 39.650214] The buggy address belongs to the object at ffff8801ac160040 [ 39.650214] which belongs to the cache kvm_vcpu of size 23872 [ 39.662772] The buggy address is located 24 bytes inside of [ 39.662772] 23872-byte region [ffff8801ac160040, ffff8801ac165d80) [ 39.674986] The buggy address belongs to the page: [ 39.679912] page:ffffea0006b05800 count:1 mapcount:0 mapping:ffff8801d5462380 index:0x0 compound_mapcount: 0 [ 39.689881] flags: 0x2fffc0000008100(slab|head) [ 39.694546] raw: 02fffc0000008100 ffff8801d561c048 ffff8801d561c048 ffff8801d5462380 [ 39.702411] raw: 0000000000000000 ffff8801ac160040 0000000100000001 0000000000000000 [ 39.710272] page dumped because: kasan: bad access detected [ 39.715957] [ 39.717561] Memory state around the buggy address: [ 39.722469] ffff8801ac15ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 39.729808] ffff8801ac15ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 39.737162] >ffff8801ac160000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 39.744502] ^ [ 39.750734] ffff8801ac160080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.758078] ffff8801ac160100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.765418] ================================================================== [ 39.772760] Kernel panic - not syncing: panic_on_warn set ... [ 39.772760] [ 39.780103] CPU: 1 PID: 4456 Comm: syz-executor520 Tainted: G B 4.18.0+ #208 [ 39.788567] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.798011] Call Trace: [ 39.800586] dump_stack+0x1c9/0x2b4 [ 39.804199] ? dump_stack_print_info.cold.2+0x52/0x52 [ 39.809373] ? lock_downgrade+0x8f0/0x8f0 [ 39.813505] ? __schedule+0xf54/0x1df0 [ 39.817375] panic+0x238/0x4e7 [ 39.820636] ? add_taint.cold.5+0x16/0x16 [ 39.824786] ? print_shadow_for_address+0xba/0x116 [ 39.829705] ? trace_hardirqs_off+0xaf/0x2b0 [ 39.834095] ? trace_hardirqs_off+0x77/0x2b0 [ 39.838483] ? __schedule+0xf54/0x1df0 [ 39.842354] kasan_end_report+0x47/0x4f [ 39.846418] kasan_report.cold.7+0x76/0x30d [ 39.850769] __asan_report_load8_noabort+0x14/0x20 [ 39.855684] __schedule+0xf54/0x1df0 [ 39.859380] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 39.864466] ? __sched_text_start+0x8/0x8 [ 39.868610] ? __call_srcu+0x7e7/0x1040 [ 39.872567] ? check_same_owner+0x340/0x340 [ 39.876873] ? mark_held_locks+0x160/0x160 [ 39.881089] ? find_held_lock+0x36/0x1c0 [ 39.885132] preempt_schedule_common+0x22/0x60 [ 39.889692] _cond_resched+0x1d/0x30 [ 39.893390] wait_for_completion+0xa5/0x8d0 [ 39.897700] ? wait_for_completion_interruptible+0x950/0x950 [ 39.903611] ? __lockdep_init_map+0x105/0x590 [ 39.908095] ? __init_waitqueue_head+0x9e/0x150 [ 39.912751] ? init_wait_entry+0x1c0/0x1c0 [ 39.916972] __synchronize_srcu+0x189/0x240 [ 39.921279] ? call_srcu+0x10/0x10 [ 39.924807] ? rcu_unexpedite_gp+0x20/0x20 [ 39.929030] synchronize_srcu+0x335/0x56f [ 39.933261] ? lock_downgrade+0x8f0/0x8f0 [ 39.937407] ? synchronize_srcu_expedited+0x20/0x20 [ 39.942406] ? kasan_check_read+0x11/0x20 [ 39.946539] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 39.951107] ? kasan_check_write+0x14/0x20 [ 39.955324] ? do_raw_spin_lock+0xc1/0x200 [ 39.959670] kvm_page_track_unregister_notifier+0x17d/0x250 [ 39.965370] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 39.970807] ? kvfree+0x61/0x70 [ 39.974071] ? rcu_read_lock_sched_held+0x108/0x120 [ 39.979068] kvm_mmu_uninit_vm+0x1c/0x20 [ 39.983114] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 39.987644] ? kvm_arch_sync_events+0x30/0x30 [ 39.992124] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 39.997667] ? mmu_notifier_unregister+0x474/0x600 [ 40.002574] ? trace_hardirqs_on+0x2c0/0x2c0 [ 40.006963] ? kfree+0x111/0x210 [ 40.010431] ? __mmu_notifier_register+0x30/0x30 [ 40.015247] ? __free_pages+0x10a/0x190 [ 40.019206] ? free_unref_page+0x930/0x930 [ 40.023430] kvm_put_kvm+0x73f/0x1060 [ 40.027222] ? kvm_write_guest_cached+0x40/0x40 [ 40.031881] ? _raw_spin_unlock_irq+0x27/0x70 [ 40.036369] ? _raw_spin_unlock_irq+0x27/0x70 [ 40.040851] ? lockdep_hardirqs_on+0x421/0x5c0 [ 40.045419] ? kasan_check_write+0x14/0x20 [ 40.049686] ? do_raw_spin_lock+0xc1/0x200 [ 40.053910] ? kvm_irqfd_release+0xdd/0x120 [ 40.058216] ? kvm_irqfd_release+0xdd/0x120 [ 40.062523] ? kvm_put_kvm+0x1060/0x1060 [ 40.066568] kvm_vm_release+0x42/0x50 [ 40.070353] __fput+0x36e/0x8c0 [ 40.073614] ? __alloc_file+0x400/0x400 [ 40.077569] ? check_same_owner+0x340/0x340 [ 40.081875] ? kasan_check_write+0x14/0x20 [ 40.086140] ? do_raw_spin_lock+0xc1/0x200 [ 40.090361] ____fput+0x15/0x20 [ 40.093627] task_work_run+0x1e8/0x2a0 [ 40.097559] ? task_work_cancel+0x240/0x240 [ 40.101873] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 40.107396] ? switch_task_namespaces+0xa2/0xd0 [ 40.112047] do_exit+0x1ae4/0x26e0 [ 40.115636] ? mm_update_next_owner+0x9a0/0x9a0 [ 40.120310] ? kvm_vcpu_ioctl+0x2b5/0x1280 [ 40.124528] ? rcu_read_lock_sched_held+0x108/0x120 [ 40.129527] ? kfree+0x1d7/0x210 [ 40.132877] ? kvm_vcpu_ioctl+0x2ba/0x1280 [ 40.137094] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 40.142792] ? is_bpf_text_address+0xd7/0x170 [ 40.147275] ? kernel_text_address+0x79/0xf0 [ 40.151666] ? __kernel_text_address+0xd/0x40 [ 40.156147] ? unwind_get_return_address+0x61/0xa0 [ 40.161152] ? __save_stack_trace+0x8d/0xf0 [ 40.165475] ? save_stack+0xa9/0xd0 [ 40.169149] ? save_stack+0x43/0xd0 [ 40.172773] ? __kasan_slab_free+0x11a/0x170 [ 40.177192] ? kasan_slab_free+0xe/0x10 [ 40.181163] ? putname+0xf2/0x130 [ 40.184603] ? __x64_sys_openat+0x9d/0x100 [ 40.188824] ? do_syscall_64+0x1b9/0x820 [ 40.193027] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.198387] ? trace_hardirqs_off+0xb8/0x2b0 [ 40.202775] ? kasan_check_read+0x11/0x20 [ 40.207003] ? do_raw_spin_unlock+0xa7/0x2f0 [ 40.211396] ? trace_hardirqs_on+0x2c0/0x2c0 [ 40.215785] ? initcall_blacklisted+0x9a/0x1e0 [ 40.220354] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 40.225517] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 40.231262] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 40.236843] ? do_vfs_ioctl+0x201/0x1720 [ 40.240890] ? rcu_is_watching+0x8c/0x150 [ 40.245081] ? trace_hardirqs_on+0xbd/0x2c0 [ 40.249390] ? ioctl_preallocate+0x300/0x300 [ 40.253780] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 40.259301] ? __fget_light+0x2f7/0x440 [ 40.263256] ? fget_raw+0x20/0x20 [ 40.266687] ? putname+0xf2/0x130 [ 40.270121] ? rcu_read_lock_sched_held+0x108/0x120 [ 40.275116] ? kmem_cache_free+0x246/0x280 [ 40.279331] ? putname+0xf7/0x130 [ 40.282766] do_group_exit+0x177/0x440 [ 40.286634] ? trace_hardirqs_on+0xbd/0x2c0 [ 40.290941] ? __ia32_sys_exit+0x50/0x50 [ 40.294988] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 40.300079] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 40.305602] ? ksys_ioctl+0x81/0xd0 [ 40.309209] __x64_sys_exit_group+0x3e/0x50 [ 40.313511] do_syscall_64+0x1b9/0x820 [ 40.317386] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 40.322733] ? syscall_return_slowpath+0x5e0/0x5e0 [ 40.327710] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 40.332656] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 40.337661] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 40.342664] ? prepare_exit_to_usermode+0x291/0x3b0 [ 40.347668] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 40.352503] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.357675] RIP: 0033:0x43ecf8 [ 40.360851] Code: Bad RIP value. [ 40.364296] RSP: 002b:00007ffec0ee80b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 40.372253] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ecf8 [ 40.379538] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 40.386801] RBP: 00000000004be5a8 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 40.394062] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 40.401323] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 40.408596] [ 40.408602] ====================================================== [ 40.408607] WARNING: possible circular locking dependency detected [ 40.408610] 4.18.0+ #208 Not tainted [ 40.408616] ------------------------------------------------------ [ 40.408621] syz-executor520/4456 is trying to acquire lock: [ 40.408624] 00000000d6be95ce ((console_sem).lock){-...}, at: down_trylock+0x13/0x70 [ 40.408639] [ 40.408643] but task is already holding lock: [ 40.408646] 00000000da6c7276 (report_lock){....}, at: kasan_report+0x8e/0x110 [ 40.408660] [ 40.408664] which lock already depends on the new lock. [ 40.408667] [ 40.408669] [ 40.408674] the existing dependency chain (in reverse order) is: [ 40.408676] [ 40.408679] -> #3 (report_lock){....}: [ 40.408696] _raw_spin_lock_irqsave+0x96/0xc0 [ 40.408700] kasan_report+0x8e/0x110 [ 40.408704] __asan_report_load8_noabort+0x14/0x20 [ 40.408708] __schedule+0xf54/0x1df0 [ 40.408712] preempt_schedule_common+0x22/0x60 [ 40.408716] _cond_resched+0x1d/0x30 [ 40.408720] wait_for_completion+0xa5/0x8d0 [ 40.408724] __synchronize_srcu+0x189/0x240 [ 40.408728] synchronize_srcu+0x335/0x56f [ 40.408733] kvm_page_track_unregister_notifier+0x17d/0x250 [ 40.408737] kvm_mmu_uninit_vm+0x1c/0x20 [ 40.408741] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 40.408745] kvm_put_kvm+0x73f/0x1060 [ 40.408749] kvm_vm_release+0x42/0x50 [ 40.408753] __fput+0x36e/0x8c0 [ 40.408756] ____fput+0x15/0x20 [ 40.408760] task_work_run+0x1e8/0x2a0 [ 40.408764] do_exit+0x1ae4/0x26e0 [ 40.408767] do_group_exit+0x177/0x440 [ 40.408771] __x64_sys_exit_group+0x3e/0x50 [ 40.408775] do_syscall_64+0x1b9/0x820 [ 40.408780] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.408782] [ 40.408784] -> #2 (&rq->lock){-.-.}: [ 40.408798] _raw_spin_lock+0x2a/0x40 [ 40.408802] task_fork_fair+0x93/0x680 [ 40.408805] sched_fork+0x44b/0xbd0 [ 40.408809] copy_process+0x235e/0x7ad0 [ 40.408813] _do_fork+0x1ca/0x1170 [ 40.408817] kernel_thread+0x34/0x40 [ 40.408820] rest_init+0x22/0xe4 [ 40.408824] start_kernel+0x913/0x94e [ 40.408828] x86_64_start_reservations+0x29/0x2b [ 40.408832] x86_64_start_kernel+0x76/0x79 [ 40.408836] secondary_startup_64+0xa4/0xb0 [ 40.408839] [ 40.408841] -> #1 (&p->pi_lock){-.-.}: [ 40.408855] _raw_spin_lock_irqsave+0x96/0xc0 [ 40.408859] try_to_wake_up+0xd2/0x1250 [ 40.408863] wake_up_process+0x10/0x20 [ 40.408867] __up.isra.1+0x1c0/0x2a0 [ 40.408870] up+0x13c/0x1c0 [ 40.408874] __up_console_sem+0xbe/0x1b0 [ 40.408878] console_unlock+0x506/0x10d0 [ 40.408881] vprintk_emit+0x33a/0x910 [ 40.408885] vprintk_default+0x28/0x30 [ 40.408889] vprintk_func+0x7a/0x117 [ 40.408892] printk+0xa7/0xcf [ 40.408896] load_umh+0x51/0xbd [ 40.408900] do_one_initcall+0x127/0x838 [ 40.408904] kernel_init_freeable+0x4bb/0x5ae [ 40.408908] kernel_init+0x11/0x1b3 [ 40.408911] ret_from_fork+0x3a/0x50 [ 40.408914] [ 40.408916] -> #0 ((console_sem).lock){-...}: [ 40.408930] lock_acquire+0x1e4/0x4f0 [ 40.408934] _raw_spin_lock_irqsave+0x96/0xc0 [ 40.408938] down_trylock+0x13/0x70 [ 40.408942] __down_trylock_console_sem+0xae/0x200 [ 40.408946] console_trylock+0x15/0xa0 [ 40.408950] vprintk_emit+0x31f/0x910 [ 40.408954] vprintk_default+0x28/0x30 [ 40.408958] vprintk_func+0x7a/0x117 [ 40.408975] printk+0xa7/0xcf [ 40.408980] kasan_report+0x9e/0x110 [ 40.408984] __asan_report_load8_noabort+0x14/0x20 [ 40.408988] __schedule+0xf54/0x1df0 [ 40.408992] preempt_schedule_common+0x22/0x60 [ 40.408996] _cond_resched+0x1d/0x30 [ 40.409000] wait_for_completion+0xa5/0x8d0 [ 40.409004] __synchronize_srcu+0x189/0x240 [ 40.409008] synchronize_srcu+0x335/0x56f [ 40.409013] kvm_page_track_unregister_notifier+0x17d/0x250 [ 40.409017] kvm_mmu_uninit_vm+0x1c/0x20 [ 40.409021] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 40.409025] kvm_put_kvm+0x73f/0x1060 [ 40.409029] kvm_vm_release+0x42/0x50 [ 40.409033] __fput+0x36e/0x8c0 [ 40.409036] ____fput+0x15/0x20 [ 40.409040] task_work_run+0x1e8/0x2a0 [ 40.409044] do_exit+0x1ae4/0x26e0 [ 40.409048] do_group_exit+0x177/0x440 [ 40.409052] __x64_sys_exit_group+0x3e/0x50 [ 40.409056] do_syscall_64+0x1b9/0x820 [ 40.409060] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.409062] [ 40.409067] other info that might help us debug this: [ 40.409069] [ 40.409072] Chain exists of: [ 40.409074] (console_sem).lock --> &rq->lock --> report_lock [ 40.409092] [ 40.409096] Possible unsafe locking scenario: [ 40.409098] [ 40.409102] CPU0 CPU1 [ 40.409106] ---- ---- [ 40.409109] lock(report_lock); [ 40.409118] lock(&rq->lock); [ 40.409127] lock(report_lock); [ 40.409135] lock((console_sem).lock); [ 40.409143] [ 40.409146] *** DEADLOCK *** [ 40.409148] [ 40.409152] 2 locks held by syz-executor520/4456: [ 40.409154] #0: 000000003e22f4d5 (&rq->lock){-.-.}, at: __schedule+0x24d/0x1df0 [ 40.409171] #1: 00000000da6c7276 (report_lock){....}, at: kasan_report+0x8e/0x110 [ 40.409187] [ 40.409190] stack backtrace: [ 40.409196] CPU: 1 PID: 4456 Comm: syz-executor520 Not tainted 4.18.0+ #208 [ 40.409203] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.409206] Call Trace: [ 40.409210] dump_stack+0x1c9/0x2b4 [ 40.409214] ? dump_stack_print_info.cold.2+0x52/0x52 [ 40.409218] ? vprintk_func+0x100/0x117 [ 40.409223] print_circular_bug.isra.34.cold.55+0x1bd/0x27d [ 40.409227] ? save_trace+0xe0/0x290 [ 40.409231] __lock_acquire+0x3449/0x5020 [ 40.409235] ? mark_held_locks+0x160/0x160 [ 40.409239] ? mark_held_locks+0x160/0x160 [ 40.409243] ? rcu_cleanup_dead_rnp+0x200/0x200 [ 40.409247] ? is_bpf_text_address+0xd7/0x170 [ 40.409251] ? kernel_text_address+0x79/0xf0 [ 40.409255] ? __kernel_text_address+0xd/0x40 [ 40.409259] ? __save_stack_trace+0x8d/0xf0 [ 40.409264] ? add_lock_to_list.isra.27+0x1ec/0x4b0 [ 40.409267] ? save_trace+0x290/0x290 [ 40.409271] ? save_stack_trace+0x1a/0x20 [ 40.409275] ? save_trace+0xe0/0x290 [ 40.409279] ? graph_lock+0x170/0x170 [ 40.409283] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 40.409287] lock_acquire+0x1e4/0x4f0 [ 40.409291] ? down_trylock+0x13/0x70 [ 40.409295] ? lock_release+0x9f0/0x9f0 [ 40.409299] ? trace_hardirqs_off+0xb8/0x2b0 [ 40.409303] ? trace_hardirqs_on+0x2c0/0x2c0 [ 40.409307] ? trace_hardirqs_off+0xb8/0x2b0 [ 40.409310] ? log_store+0x34f/0x4c0 [ 40.409314] ? vprintk_emit+0x31f/0x910 [ 40.409318] _raw_spin_lock_irqsave+0x96/0xc0 [ 40.409322] ? down_trylock+0x13/0x70 [ 40.409326] down_trylock+0x13/0x70 [ 40.409330] __down_trylock_console_sem+0xae/0x200 [ 40.409334] console_trylock+0x15/0xa0 [ 40.409338] vprintk_emit+0x31f/0x910 [ 40.409341] ? wake_up_klogd+0x110/0x110 [ 40.409346] ? run_rebalance_domains+0x4c0/0x4c0 [ 40.409350] ? kasan_check_read+0x11/0x20 [ 40.409354] ? rcu_is_watching+0x8c/0x150 [ 40.409357] ? rcu_pm_notify+0xc0/0xc0 [ 40.409361] ? lock_acquire+0x1e4/0x4f0 [ 40.409365] ? kasan_report+0x8e/0x110 [ 40.409369] ? __schedule+0xf54/0x1df0 [ 40.409372] vprintk_default+0x28/0x30 [ 40.409376] vprintk_func+0x7a/0x117 [ 40.409379] printk+0xa7/0xcf [ 40.409384] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 40.409388] ? kasan_check_write+0x14/0x20 [ 40.409392] ? do_raw_spin_lock+0xc1/0x200 [ 40.409396] ? do_raw_spin_lock+0xc1/0x200 [ 40.409399] kasan_report+0x9e/0x110 [ 40.409404] __asan_report_load8_noabort+0x14/0x20 [ 40.409407] __schedule+0xf54/0x1df0 [ 40.409412] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 40.409416] ? __sched_text_start+0x8/0x8 [ 40.409420] ? __call_srcu+0x7e7/0x1040 [ 40.409424] ? check_same_owner+0x340/0x340 [ 40.409428] ? mark_held_locks+0x160/0x160 [ 40.409432] ? find_held_lock+0x36/0x1c0 [ 40.409436] preempt_schedule_common+0x22/0x60 [ 40.409440] _cond_resched+0x1d/0x30 [ 40.409444] wait_for_completion+0xa5/0x8d0 [ 40.409449] ? wait_for_completion_interruptible+0x950/0x950 [ 40.409453] ? __lockdep_init_map+0x105/0x590 [ 40.409457] ? __init_waitqueue_head+0x9e/0x150 [ 40.409461] ? init_wait_entry+0x1c0/0x1c0 [ 40.409466] __synchronize_srcu+0x189/0x240 [ 40.409470] ? call_srcu+0x10/0x10 [ 40.409474] ? rcu_unexpedite_gp+0x20/0x20 [ 40.409478] synchronize_srcu+0x335/0x56f [ 40.409482] ? lock_downgrade+0x8f0/0x8f0 [ 40.409486] ? synchronize_srcu_expedited+0x20/0x20 [ 40.409490] ? kasan_check_read+0x11/0x20 [ 40.409494] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 40.409498] ? kasan_check_write+0x14/0x20 [ 40.409502] ? do_raw_spin_lock+0xc1/0x200 [ 40.409507] kvm_page_track_unregister_notifier+0x17d/0x250 [ 40.409512] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 40.409515] ? kvfree+0x61/0x70 [ 40.409520] ? rcu_read_lock_sched_held+0x108/0x120 [ 40.409524] kvm_mmu_uninit_vm+0x1c/0x20 [ 40.409528] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 40.409532] ? kvm_arch_sync_events+0x30/0x30 [ 40.409537] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 40.409541] ? mmu_notifier_unregister+0x474/0x600 [ 40.409545] ? trace_hardirqs_on+0x2c0/0x2c0 [ 40.409549] ? kfree+0x111/0x210 [ 40.409553] ? __mmu_notifier_register+0x30/0x30 [ 40.409557] ? __free_pages+0x10a/0x190 [ 40.409561] ? free_unref_page+0x930/0x930 [ 40.409565] kvm_put_kvm+0x73f/0x1060 [ 40.409569] ? kvm_write_guest_cached+0x40/0x40 [ 40.409573] ? _raw_spin_unlock_irq+0x27/0x70 [ 40.409578] ? _raw_spin_unlock_irq+0x27/0x70 [ 40.409582] ? lockdep_hardirqs_on+0x421/0x5c0 [ 40.409586] ? kasan_check_write+0x14/0x20 [ 40.409590] ? do_raw_spin_lock+0xc1/0x200 [ 40.409594] ? kvm_irqfd_release+0xdd/0x120 [ 40.409598] ? kvm_irqfd_release+0xdd/0x120 [ 40.409602] ? kvm_put_kvm+0x1060/0x1060 [ 40.409605] kvm_vm_release+0x42/0x50 [ 40.409609] __fput+0x36e/0x8c0 [ 40.409613] ? __alloc_file+0x400/0x400 [ 40.409617] ? check_same_owner+0x340/0x340 [ 40.409621] ? kasan_check_write+0x14/0x20 [ 40.409625] ? do_raw_spin_lock+0xc1/0x200 [ 40.409628] ____fput+0x15/0x20 [ 40.409632] task_work_run+0x1e8/0x2a0 [ 40.409636] ? task_work_cancel+0x240/0x240 [ 40.409640] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 40.409645] ? switch_task_namespaces+0xa2/0xd0 [ 40.409648] do_exit+0x1ae4/0x26e0 [ 40.409653] ? mm_update_next_owner+0x9a0/0x9a0 [ 40.409656] ? kvm_vcpu_ioctl+0x2b5/0x1280 [ 40.409661] ? rcu_read_lock_sched_held+0x108/0x120 [ 40.409664] ? kfree+0x1d7/0x210 [ 40.409668] ? kvm_vcpu_ioctl+0x2ba/0x1280 [ 40.409673] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 40.409677] ? is_bpf_text_address+0xd7/0x170 [ 40.409680] ? kernel_ [ 40.409687] Lost 55 message(s)! [ 41.507059] Shutting down cpus with NMI [ 42.565808] Dumping ftrace buffer: [ 42.569331] (ftrace buffer empty) [ 42.573021] Kernel Offset: disabled [ 42.576629] Rebooting in 86400 seconds..