[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [ 38.641621] audit: type=1800 audit(1569208268.306:33): pid=7348 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 42.057593] kauditd_printk_skb: 1 callbacks suppressed [ 42.057606] audit: type=1400 audit(1569208271.726:35): avc: denied { map } for pid=7523 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.216' (ECDSA) to the list of known hosts. 2019/09/23 03:11:18 parsed 1 programs [ 48.632502] audit: type=1400 audit(1569208278.296:36): avc: denied { map } for pid=7535 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 48.708971] audit: type=1400 audit(1569208278.376:37): avc: denied { map } for pid=7535 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=14998 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 2019/09/23 03:11:20 executed programs: 0 [ 50.522482] IPVS: ftp: loaded support on port[0] = 21 [ 50.582499] chnl_net:caif_netlink_parms(): no params data found [ 50.614847] bridge0: port 1(bridge_slave_0) entered blocking state [ 50.622141] bridge0: port 1(bridge_slave_0) entered disabled state [ 50.629938] device bridge_slave_0 entered promiscuous mode [ 50.638379] bridge0: port 2(bridge_slave_1) entered blocking state [ 50.645151] bridge0: port 2(bridge_slave_1) entered disabled state [ 50.653890] device bridge_slave_1 entered promiscuous mode [ 50.671312] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 50.680575] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 50.696530] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 50.704242] team0: Port device team_slave_0 added [ 50.709969] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 50.717345] team0: Port device team_slave_1 added [ 50.722609] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 50.730092] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 50.788958] device hsr_slave_0 entered promiscuous mode [ 50.846720] device hsr_slave_1 entered promiscuous mode [ 50.916896] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 50.924118] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 50.940236] bridge0: port 2(bridge_slave_1) entered blocking state [ 50.947015] bridge0: port 2(bridge_slave_1) entered forwarding state [ 50.954721] bridge0: port 1(bridge_slave_0) entered blocking state [ 50.961491] bridge0: port 1(bridge_slave_0) entered forwarding state [ 50.991836] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 50.998196] 8021q: adding VLAN 0 to HW filter on device bond0 [ 51.007260] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 51.016016] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 51.037193] bridge0: port 1(bridge_slave_0) entered disabled state [ 51.044842] bridge0: port 2(bridge_slave_1) entered disabled state [ 51.054003] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 51.064263] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 51.070737] 8021q: adding VLAN 0 to HW filter on device team0 [ 51.080554] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 51.088465] bridge0: port 1(bridge_slave_0) entered blocking state [ 51.094817] bridge0: port 1(bridge_slave_0) entered forwarding state [ 51.104459] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 51.113393] bridge0: port 2(bridge_slave_1) entered blocking state [ 51.120208] bridge0: port 2(bridge_slave_1) entered forwarding state [ 51.135461] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 51.143557] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 51.153971] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 51.165122] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 51.175676] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 51.185490] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 51.192053] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 51.205255] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 51.215245] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 51.225507] audit: type=1400 audit(1569208280.896:38): avc: denied { associate } for pid=7553 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 [ 53.838664] ------------[ cut here ]------------ [ 53.844741] ODEBUG: free active (active state 1) object type: rcu_head hint: (null) [ 53.854829] WARNING: CPU: 0 PID: 8157 at lib/debugobjects.c:325 debug_print_object+0x168/0x250 [ 53.863795] Kernel panic - not syncing: panic_on_warn set ... [ 53.863795] [ 53.871564] CPU: 0 PID: 8157 Comm: syz-executor.0 Not tainted 4.19.75 #0 [ 53.878832] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.888462] Call Trace: [ 53.891059] dump_stack+0x172/0x1f0 [ 53.894679] panic+0x263/0x507 [ 53.898003] ? __warn_printk+0xf3/0xf3 [ 53.901922] ? debug_print_object+0x168/0x250 [ 53.906416] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.911999] ? __warn.cold+0x5/0x4a [ 53.915617] ? __warn+0xe8/0x1d0 [ 53.918982] ? debug_print_object+0x168/0x250 [ 53.923468] __warn.cold+0x20/0x4a [ 53.927010] ? trace_hardirqs_off+0x62/0x220 [ 53.931425] ? debug_print_object+0x168/0x250 [ 53.936190] report_bug+0x263/0x2b0 [ 53.940191] do_error_trap+0x204/0x360 [ 53.944228] ? math_error+0x340/0x340 [ 53.948332] ? wake_up_klogd+0x99/0xd0 [ 53.952214] ? vprintk_emit+0x1ab/0x690 [ 53.956823] ? error_entry+0x7c/0xe0 [ 53.960728] ? trace_hardirqs_off_caller+0x65/0x220 [ 53.966017] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 53.970963] do_invalid_op+0x1b/0x20 [ 53.974760] invalid_op+0x14/0x20 [ 53.978229] RIP: 0010:debug_print_object+0x168/0x250 [ 53.983410] Code: dd 20 56 82 87 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 b5 00 00 00 48 8b 14 dd 20 56 82 87 48 c7 c7 60 4b 82 87 e8 d6 04 19 fe <0f> 0b 83 05 cb 83 17 06 01 48 83 c4 20 5b 41 5c 41 5d 41 5e 5d c3 [ 54.002963] RSP: 0018:ffff8880a38f76f8 EFLAGS: 00010086 [ 54.008330] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000 [ 54.015879] RDX: 0000000000000000 RSI: ffffffff8155dbd6 RDI: ffffed101471eed1 [ 54.023260] RBP: ffff8880a38f7738 R08: ffff888092f203c0 R09: ffffed1015d03ee3 [ 54.030745] R10: ffffed1015d03ee2 R11: ffff8880ae81f717 R12: 0000000000000001 [ 54.043840] R13: ffffffff8879f200 R14: 0000000000000000 R15: ffff88808eb235a0 [ 54.051160] ? vprintk_func+0x86/0x189 [ 54.055145] ? debug_print_object+0x168/0x250 [ 54.059731] debug_check_no_obj_freed+0x29f/0x464 [ 54.064571] kmem_cache_free+0x18f/0x260 [ 54.068629] free_task+0xdd/0x120 [ 54.072136] __put_task_struct+0x20f/0x4c0 [ 54.076372] finish_task_switch+0x52b/0x780 [ 54.080730] __schedule+0x86e/0x1dc0 [ 54.084441] ? pci_mmcfg_check_reserved+0x170/0x170 [ 54.089504] ? lock_downgrade+0x810/0x810 [ 54.094341] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.099888] ? get_futex_value_locked+0xd6/0x100 [ 54.104638] schedule+0x92/0x1c0 [ 54.108144] futex_wait_queue_me+0x30c/0x600 [ 54.112583] ? handle_futex_death.part.0+0x250/0x250 [ 54.118355] ? lock_pi_update_atomic+0x120/0x120 [ 54.123113] futex_wait+0x228/0x5e0 [ 54.126744] ? futex_wait_setup+0x390/0x390 [ 54.131080] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 54.136346] ? drop_futex_key_refs.isra.0+0x6f/0xf0 [ 54.143279] ? futex_wake+0x179/0x4d0 [ 54.147085] do_futex+0x175/0x1d70 [ 54.150623] ? __might_fault+0x12b/0x1e0 [ 54.154910] ? exit_robust_list+0x2c0/0x2c0 [ 54.159330] ? kasan_check_read+0x11/0x20 [ 54.163482] ? _copy_to_user+0xc9/0x120 [ 54.167463] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 54.173013] __x64_sys_futex+0x400/0x590 [ 54.177187] ? do_futex+0x1d70/0x1d70 [ 54.180983] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 54.185738] ? do_syscall_64+0x26/0x620 [ 54.189733] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.195129] ? do_syscall_64+0x26/0x620 [ 54.199101] ? lockdep_hardirqs_on+0x415/0x5d0 [ 54.204163] ? trace_hardirqs_on+0x67/0x220 [ 54.208496] do_syscall_64+0xfd/0x620 [ 54.212470] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.217870] RIP: 0033:0x459a09 [ 54.221341] Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 54.241050] RSP: 002b:00007f59f398ccf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 54.248897] RAX: ffffffffffffffda RBX: 000000000075c078 RCX: 0000000000459a09 [ 54.256163] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000075c078 [ 54.263541] RBP: 000000000075c070 R08: 0000000000000000 R09: 0000000000000000 [ 54.270808] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000075c07c [ 54.278130] R13: 00007fff88cee39f R14: 00007f59f398d9c0 R15: 000000000075c07c [ 54.285634] [ 54.285637] ====================================================== [ 54.285641] WARNING: possible circular locking dependency detected [ 54.285643] 4.19.75 #0 Not tainted [ 54.285646] ------------------------------------------------------ [ 54.285649] syz-executor.0/8157 is trying to acquire lock: [ 54.285651] 00000000be0b858f ((console_sem).lock){-...}, at: down_trylock+0x13/0x70 [ 54.285660] [ 54.285662] but task is already holding lock: [ 54.285664] 000000009a1b8818 (&obj_hash[i].lock){-.-.}, at: debug_check_no_obj_freed+0xbe/0x464 [ 54.285672] [ 54.285675] which lock already depends on the new lock. [ 54.285676] [ 54.285678] [ 54.285681] the existing dependency chain (in reverse order) is: [ 54.285682] [ 54.285683] -> #3 (&obj_hash[i].lock){-.-.}: [ 54.285738] _raw_spin_lock_irqsave+0x95/0xcd [ 54.285740] __debug_object_init+0xc6/0xc30 [ 54.285743] debug_object_init+0x16/0x20 [ 54.285745] hrtimer_init+0x2a/0x300 [ 54.285747] init_dl_task_timer+0x1b/0x50 [ 54.285749] __sched_fork+0x22a/0x4b0 [ 54.285751] init_idle+0x75/0x800 [ 54.285754] sched_init+0x952/0x9f0 [ 54.285756] start_kernel+0x402/0x8c5 [ 54.285758] x86_64_start_reservations+0x29/0x2b [ 54.285761] x86_64_start_kernel+0x77/0x7b [ 54.285764] secondary_startup_64+0xa4/0xb0 [ 54.285765] [ 54.285766] -> #2 (&rq->lock){-.-.}: [ 54.285774] _raw_spin_lock+0x2f/0x40 [ 54.285776] task_fork_fair+0x6a/0x520 [ 54.285778] sched_fork+0x3af/0x900 [ 54.285781] copy_process.part.0+0x1859/0x7a30 [ 54.285783] _do_fork+0x257/0xfd0 [ 54.285785] kernel_thread+0x34/0x40 [ 54.285787] rest_init+0x24/0x222 [ 54.285790] start_kernel+0x88c/0x8c5 [ 54.285792] x86_64_start_reservations+0x29/0x2b [ 54.285795] x86_64_start_kernel+0x77/0x7b [ 54.285797] secondary_startup_64+0xa4/0xb0 [ 54.285799] [ 54.285800] -> #1 (&p->pi_lock){-.-.}: [ 54.285808] _raw_spin_lock_irqsave+0x95/0xcd [ 54.285811] try_to_wake_up+0x94/0xf50 [ 54.285813] wake_up_process+0x10/0x20 [ 54.285815] __up.isra.0+0x136/0x1a0 [ 54.285817] up+0x9c/0xe0 [ 54.285819] __up_console_sem+0xb7/0x1c0 [ 54.285822] console_unlock+0x6c7/0x10b0 [ 54.285824] vprintk_emit+0x238/0x690 [ 54.285826] vprintk_default+0x28/0x30 [ 54.285829] vprintk_func+0x7e/0x189 [ 54.285831] printk+0xba/0xed [ 54.285833] kauditd_hold_skb.cold+0x3f/0x4e [ 54.285835] kauditd_send_queue+0x12b/0x170 [ 54.285838] kauditd_thread+0x732/0xa60 [ 54.285840] kthread+0x354/0x420 [ 54.285842] ret_from_fork+0x24/0x30 [ 54.285843] [ 54.285844] -> #0 ((console_sem).lock){-...}: [ 54.285853] lock_acquire+0x16f/0x3f0 [ 54.285855] _raw_spin_lock_irqsave+0x95/0xcd [ 54.285857] down_trylock+0x13/0x70 [ 54.285860] __down_trylock_console_sem+0xa8/0x210 [ 54.285862] console_trylock+0x15/0xa0 [ 54.285864] vprintk_emit+0x21d/0x690 [ 54.285867] vprintk_default+0x28/0x30 [ 54.285869] vprintk_func+0x7e/0x189 [ 54.285871] printk+0xba/0xed [ 54.285873] __warn_printk+0x9b/0xf3 [ 54.285876] debug_print_object+0x168/0x250 [ 54.285879] debug_check_no_obj_freed+0x29f/0x464 [ 54.285881] kmem_cache_free+0x18f/0x260 [ 54.285883] free_task+0xdd/0x120 [ 54.285885] __put_task_struct+0x20f/0x4c0 [ 54.285888] finish_task_switch+0x52b/0x780 [ 54.285890] __schedule+0x86e/0x1dc0 [ 54.285892] schedule+0x92/0x1c0 [ 54.285895] futex_wait_queue_me+0x30c/0x600 [ 54.285897] futex_wait+0x228/0x5e0 [ 54.285899] do_futex+0x175/0x1d70 [ 54.285901] __x64_sys_futex+0x400/0x590 [ 54.285903] do_syscall_64+0xfd/0x620 [ 54.285906] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.285907] [ 54.285910] other info that might help us debug this: [ 54.285911] [ 54.285913] Chain exists of: [ 54.285914] (console_sem).lock --> &rq->lock --> &obj_hash[i].lock [ 54.285924] [ 54.285927] Possible unsafe locking scenario: [ 54.285928] [ 54.285930] CPU0 CPU1 [ 54.285933] ---- ---- [ 54.285934] lock(&obj_hash[i].lock); [ 54.285939] lock(&rq->lock); [ 54.285944] lock(&obj_hash[i].lock); [ 54.285949] lock((console_sem).lock); [ 54.285953] [ 54.285955] *** DEADLOCK *** [ 54.285956] [ 54.285959] 1 lock held by syz-executor.0/8157: [ 54.285965] #0: 000000009a1b8818 (&obj_hash[i].lock){-.-.}, at: debug_check_no_obj_freed+0xbe/0x464 [ 54.285976] [ 54.285977] stack backtrace: [ 54.285981] CPU: 0 PID: 8157 Comm: syz-executor.0 Not tainted 4.19.75 #0 [ 54.285985] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.285987] Call Trace: [ 54.285989] dump_stack+0x172/0x1f0 [ 54.285991] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 54.285994] __lock_acquire+0x2e19/0x49c0 [ 54.285996] ? mark_held_locks+0x100/0x100 [ 54.285998] ? kvm_clock_read+0x18/0x30 [ 54.286000] ? kvm_sched_clock_read+0x9/0x20 [ 54.286003] lock_acquire+0x16f/0x3f0 [ 54.286005] ? down_trylock+0x13/0x70 [ 54.286007] _raw_spin_lock_irqsave+0x95/0xcd [ 54.286009] ? down_trylock+0x13/0x70 [ 54.286011] ? vprintk_emit+0x21d/0x690 [ 54.286014] down_trylock+0x13/0x70 [ 54.286016] ? vprintk_emit+0x21d/0x690 [ 54.286018] __down_trylock_console_sem+0xa8/0x210 [ 54.286020] console_trylock+0x15/0xa0 [ 54.286023] vprintk_emit+0x21d/0x690 [ 54.286025] vprintk_default+0x28/0x30 [ 54.286027] vprintk_func+0x7e/0x189 [ 54.286029] printk+0xba/0xed [ 54.286032] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 54.286034] ? __warn_printk+0x8f/0xf3 [ 54.286036] __warn_printk+0x9b/0xf3 [ 54.286038] ? add_taint.cold+0x16/0x16 [ 54.286041] debug_print_object+0x168/0x250 [ 54.286044] debug_check_no_obj_freed+0x29f/0x464 [ 54.286046] kmem_cache_free+0x18f/0x260 [ 54.286048] free_task+0xdd/0x120 [ 54.286050] __put_task_struct+0x20f/0x4c0 [ 54.286053] finish_task_switch+0x52b/0x780 [ 54.286055] __schedule+0x86e/0x1dc0 [ 54.286057] ? pci_mmcfg_check_reserved+0x170/0x170 [ 54.286060] ? lock_downgrade+0x810/0x810 [ 54.286062] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.286065] ? get_futex_value_locked+0xd6/0x100 [ 54.286067] schedule+0x92/0x1c0 [ 54.286070] futex_wait_queue_me+0x30c/0x600 [ 54.286072] ? handle_futex_death.part.0+0x250/0x250 [ 54.286075] ? lock_pi_update_atomic+0x120/0x120 [ 54.286077] futex_wait+0x228/0x5e0 [ 54.286079] ? futex_wait_setup+0x390/0x390 [ 54.286082] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 54.286085] ? drop_futex_key_refs.isra.0+0x6f/0xf0 [ 54.286087] ? futex_wake+0x179/0x4d0 [ 54.286089] do_futex+0x175/0x1d70 [ 54.286091] ? __might_fault+0x12b/0x1e0 [ 54.286093] ? exit_robust_list+0x2c0/0x2c0 [ 54.286096] ? kasan_check_read+0x11/0x20 [ 54.286098] ? _copy_to_user+0xc9/0x120 [ 54.286101] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 54.286103] __x64_sys_futex+0x400/0x590 [ 54.286105] ? do_futex+0x1d70/0x1d70 [ 54.286108] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 54.286110] ? do_syscall_64+0x26/0x620 [ 54.286113] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.286115] ? do_syscall_64+0x26/0x620 [ 54.286118] ? lockdep_hardirqs_on+0x415/0x5d0 [ 54.286120] ? trace_hardirqs_on+0x67/0x220 [ 54.286122] do_syscall_64+0xfd/0x620 [ 54.286125] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.286127] RIP: 0033:0x459a09 [ 54.286135] Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 54.286137] RSP: 002b:00007f59f398ccf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 54.286143] RAX: ffffffffffffffda RBX: 000000000075c078 RCX: 0000000000459a09 [ 54.286147] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000075c078 [ 54.286150] RBP: 000000000075c070 R08: 0000000000000000 R09: 0000000000000000 [ 54.286153] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000075c07c [ 54.286157] R13: 00007fff88cee39f R14: 00007f59f398d9c0 R15: 000000000075c07c [ 54.288156] Kernel Offset: disabled [ 55.102180] Rebooting in 86400 seconds..