[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 160.001594] random: sshd: uninitialized urandom read (32 bytes read) [ 160.387868] audit: type=1400 audit(1536741937.926:6): avc: denied { map } for pid=5475 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 160.444009] random: sshd: uninitialized urandom read (32 bytes read) [ 161.048293] random: sshd: uninitialized urandom read (32 bytes read) [ 161.246372] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.6' (ECDSA) to the list of known hosts. executing program [ 166.902955] random: sshd: uninitialized urandom read (32 bytes read) [ 167.035400] audit: type=1400 audit(1536741944.576:7): avc: denied { map } for pid=5487 comm="syz-executor196" path="/root/syz-executor196257022" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 167.039037] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html for details. [ 167.087799] ================================================================== [ 167.097746] BUG: KASAN: use-after-free in __schedule+0xfc3/0x1ed0 [ 167.103977] Read of size 8 at addr ffff8801c0378058 by task syz-executor196/5487 [ 167.111497] [ 167.113139] CPU: 0 PID: 5487 Comm: syz-executor196 Not tainted 4.19.0-rc3+ #11 [ 167.120495] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 167.129840] Call Trace: [ 167.132434] dump_stack+0x1c4/0x2b4 [ 167.136062] ? dump_stack_print_info.cold.2+0x52/0x52 [ 167.141251] ? printk+0xa7/0xcf [ 167.144536] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 167.149297] print_address_description.cold.8+0x9/0x1ff [ 167.155161] kasan_report.cold.9+0x242/0x309 [ 167.159603] ? __schedule+0xfc3/0x1ed0 [ 167.163508] __asan_report_load8_noabort+0x14/0x20 [ 167.168437] __schedule+0xfc3/0x1ed0 [ 167.172165] ? __sched_text_start+0x8/0x8 [ 167.176316] ? __lock_is_held+0xb5/0x140 [ 167.180375] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 167.185479] ? find_held_lock+0x36/0x1c0 [ 167.189547] ? __call_srcu+0x7f9/0x1070 [ 167.193520] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 167.198620] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 167.203728] ? lockdep_hardirqs_on+0x421/0x5c0 [ 167.208310] ? preempt_schedule+0x4d/0x60 [ 167.212464] preempt_schedule_common+0x1f/0xd0 [ 167.217052] preempt_schedule+0x4d/0x60 [ 167.221028] ___preempt_schedule+0x16/0x18 [ 167.225272] _raw_spin_unlock_irqrestore+0xbb/0xd0 [ 167.230209] __call_srcu+0x7f9/0x1070 [ 167.234008] ? _raw_spin_unlock_irqrestore+0x6d/0xd0 [ 167.239125] ? srcu_offline_cpu+0x120/0x120 [ 167.243459] ? debug_object_free+0x690/0x690 [ 167.247870] ? mark_held_locks+0x130/0x130 [ 167.252115] ? kvm_arch_destroy_vm+0x414/0x7c0 [ 167.256711] ? lock_release+0x970/0x970 [ 167.260686] ? arch_local_save_flags+0x40/0x40 [ 167.265270] ? depot_save_stack+0x292/0x470 [ 167.269607] ? __lockdep_init_map+0x105/0x590 [ 167.274118] ? __init_waitqueue_head+0x9e/0x150 [ 167.278805] ? init_wait_entry+0x1c0/0x1c0 [ 167.283058] __synchronize_srcu+0x17b/0x230 [ 167.287776] ? call_srcu+0x10/0x10 [ 167.291317] ? rcu_unexpedite_gp+0x20/0x20 [ 167.295561] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 167.301099] ? check_preemption_disabled+0x48/0x200 [ 167.306150] synchronize_srcu+0x356/0x5ab [ 167.310305] ? lock_downgrade+0x900/0x900 [ 167.314464] ? synchronize_srcu_expedited+0x20/0x20 [ 167.319490] ? kasan_check_read+0x11/0x20 [ 167.323640] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 167.328238] ? kasan_check_write+0x14/0x20 [ 167.332481] ? do_raw_spin_lock+0xc1/0x200 [ 167.336724] kvm_page_track_unregister_notifier+0x17d/0x250 [ 167.342439] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 167.347898] ? kvfree+0x61/0x70 [ 167.351184] ? rcu_read_lock_sched_held+0x108/0x120 [ 167.356202] kvm_mmu_uninit_vm+0x1c/0x20 [ 167.360284] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 167.364702] ? kvm_arch_sync_events+0x30/0x30 [ 167.369210] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 167.374817] ? mmu_notifier_unregister+0x474/0x600 [ 167.379746] ? kfree+0x107/0x230 [ 167.383122] ? __mmu_notifier_register+0x30/0x30 [ 167.387892] ? __free_pages+0x10a/0x190 [ 167.391870] ? free_unref_page+0x960/0x960 [ 167.396290] kvm_put_kvm+0x6c8/0xff0 [ 167.400013] ? kvm_write_guest_cached+0x40/0x40 [ 167.404685] ? kvm_irqfd_release+0xd1/0x120 [ 167.409007] ? _raw_spin_unlock_irq+0x27/0x80 [ 167.413503] ? _raw_spin_unlock_irq+0x27/0x80 [ 167.418018] ? kasan_check_write+0x14/0x20 [ 167.422281] ? do_raw_spin_lock+0xc1/0x200 [ 167.426522] ? kvm_irqfd_release+0xdd/0x120 [ 167.430846] ? kvm_irqfd_release+0xdd/0x120 [ 167.435172] ? kvm_put_kvm+0xff0/0xff0 [ 167.439065] kvm_vm_release+0x42/0x50 [ 167.442872] __fput+0x385/0xa30 [ 167.446163] ? get_max_files+0x20/0x20 [ 167.450056] ? trace_hardirqs_on+0xbd/0x310 [ 167.454378] ? ___might_sleep+0x1ed/0x300 [ 167.458524] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 167.463991] ? arch_local_save_flags+0x40/0x40 [ 167.468591] ? kasan_check_write+0x14/0x20 [ 167.472831] ? do_raw_spin_lock+0xc1/0x200 [ 167.477066] ____fput+0x15/0x20 [ 167.480348] task_work_run+0x1e8/0x2a0 [ 167.484237] ? task_work_cancel+0x240/0x240 [ 167.488559] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 167.494104] ? switch_task_namespaces+0x9d/0xd0 [ 167.498805] do_exit+0x1ad7/0x2610 [ 167.502350] ? mm_update_next_owner+0x990/0x990 [ 167.507027] ? kvm_vcpu_ioctl+0x29c/0x1150 [ 167.511265] ? rcu_read_lock_sched_held+0x108/0x120 [ 167.516291] ? kfree+0x1fa/0x230 [ 167.519667] ? kvm_vcpu_ioctl+0x2a1/0x1150 [ 167.523904] ? kvm_vcpu_block+0x1030/0x1030 [ 167.528228] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 167.533767] ? avc_has_extended_perms+0xab2/0x15a0 [ 167.538705] ? fpu__prepare_read+0x3b/0x750 [ 167.543025] ? avc_ss_reset+0x190/0x190 [ 167.547004] ? save_stack+0xa9/0xd0 [ 167.550627] ? save_stack+0x43/0xd0 [ 167.554256] ? __kasan_slab_free+0x102/0x150 [ 167.558664] ? kasan_slab_free+0xe/0x10 [ 167.562637] ? putname+0xf2/0x130 [ 167.566093] ? __x64_sys_openat+0x9d/0x100 [ 167.570344] ? do_syscall_64+0x1b9/0x820 [ 167.574418] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 167.579791] ? ___might_sleep+0x1ed/0x300 [ 167.583941] ? __bpf_trace_initcall_finish+0x2a/0x30 [ 167.589044] ? trace_hardirqs_off+0xb8/0x310 [ 167.593456] ? kvm_vcpu_block+0x1030/0x1030 [ 167.597781] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 167.603316] ? do_vfs_ioctl+0x201/0x1720 [ 167.607375] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 167.612568] ? ioctl_preallocate+0x300/0x300 [ 167.616980] ? selinux_file_mprotect+0x620/0x620 [ 167.621797] ? path_mountpoint+0x34f/0x2190 [ 167.626137] ? rcu_read_lock_sched_held+0x108/0x120 [ 167.631165] ? kmem_cache_free+0x24f/0x290 [ 167.635399] ? putname+0xf7/0x130 [ 167.638860] do_group_exit+0x177/0x440 [ 167.642751] ? trace_hardirqs_on+0xbd/0x310 [ 167.647072] ? __ia32_sys_exit+0x50/0x50 [ 167.651145] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 167.656615] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 167.662160] ? ksys_ioctl+0x81/0xd0 [ 167.665796] __x64_sys_exit_group+0x3e/0x50 [ 167.670126] do_syscall_64+0x1b9/0x820 [ 167.674026] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 167.679393] ? syscall_return_slowpath+0x5e0/0x5e0 [ 167.684324] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 167.689170] ? trace_hardirqs_on_caller+0x310/0x310 [ 167.694185] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 167.699204] ? prepare_exit_to_usermode+0x291/0x3b0 [ 167.704228] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 167.709081] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 167.714278] RIP: 0033:0x43ecd8 [ 167.717471] Code: Bad RIP value. [ 167.720835] RSP: 002b:00007ffdd5cead88 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 167.728545] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ecd8 [ 167.735814] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 167.743078] RBP: 00000000004be588 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 167.750355] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 167.757622] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 167.764896] [ 167.766523] Allocated by task 5487: [ 167.770156] save_stack+0x43/0xd0 [ 167.773605] kasan_kmalloc+0xc7/0xe0 [ 167.777315] kasan_slab_alloc+0x12/0x20 [ 167.781291] kmem_cache_alloc+0x12e/0x730 [ 167.785436] vmx_create_vcpu+0xcf/0x25e0 [ 167.789493] kvm_arch_vcpu_create+0xe5/0x220 [ 167.793898] kvm_vm_ioctl+0x470/0x1d40 [ 167.797783] do_vfs_ioctl+0x1de/0x1720 [ 167.801669] ksys_ioctl+0xa9/0xd0 [ 167.805134] __x64_sys_ioctl+0x73/0xb0 [ 167.809023] do_syscall_64+0x1b9/0x820 [ 167.812910] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 167.818090] [ 167.819723] Freed by task 5487: [ 167.822997] save_stack+0x43/0xd0 [ 167.826448] __kasan_slab_free+0x102/0x150 [ 167.830683] kasan_slab_free+0xe/0x10 [ 167.834482] kmem_cache_free+0x83/0x290 [ 167.838458] vmx_free_vcpu+0x26b/0x300 [ 167.842343] kvm_arch_destroy_vm+0x365/0x7c0 [ 167.846925] kvm_put_kvm+0x6c8/0xff0 [ 167.850641] kvm_vm_release+0x42/0x50 [ 167.854443] __fput+0x385/0xa30 [ 167.857719] ____fput+0x15/0x20 [ 167.861001] task_work_run+0x1e8/0x2a0 [ 167.864886] do_exit+0x1ad7/0x2610 [ 167.868424] do_group_exit+0x177/0x440 [ 167.872314] __x64_sys_exit_group+0x3e/0x50 [ 167.876649] do_syscall_64+0x1b9/0x820 [ 167.880537] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 167.885712] [ 167.887338] The buggy address belongs to the object at ffff8801c0378040 [ 167.887338] which belongs to the cache kvm_vcpu of size 23872 [ 167.899923] The buggy address is located 24 bytes inside of [ 167.899923] 23872-byte region [ffff8801c0378040, ffff8801c037dd80) [ 167.911881] The buggy address belongs to the page: [ 167.916816] page:ffffea000700de00 count:1 mapcount:0 mapping:ffff8801d5461dc0 index:0x0 compound_mapcount: 0 [ 167.926792] flags: 0x2fffc0000008100(slab|head) [ 167.931467] raw: 02fffc0000008100 ffff8801d545aa48 ffff8801d545aa48 ffff8801d5461dc0 [ 167.939368] raw: 0000000000000000 ffff8801c0378040 0000000100000001 0000000000000000 [ 167.947240] page dumped because: kasan: bad access detected [ 167.952940] [ 167.954559] Memory state around the buggy address: [ 167.959495] ffff8801c0377f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 167.966854] ffff8801c0377f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 167.974211] >ffff8801c0378000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 167.981564] ^ [ 167.987792] ffff8801c0378080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 167.995245] ffff8801c0378100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 168.002603] ================================================================== [ 168.009966] Kernel panic - not syncing: panic_on_warn set ... [ 168.009966] [ 168.017337] CPU: 0 PID: 5487 Comm: syz-executor196 Tainted: G B 4.19.0-rc3+ #11 [ 168.026080] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 168.035434] Call Trace: [ 168.038029] dump_stack+0x1c4/0x2b4 [ 168.041663] ? dump_stack_print_info.cold.2+0x52/0x52 [ 168.046857] ? lock_downgrade+0x900/0x900 [ 168.051034] panic+0x238/0x4e7 [ 168.054232] ? add_taint.cold.5+0x16/0x16 [ 168.058406] ? print_shadow_for_address+0xb6/0x116 [ 168.063337] ? trace_hardirqs_off+0xaf/0x310 [ 168.067749] kasan_end_report+0x47/0x4f [ 168.071725] kasan_report.cold.9+0x76/0x309 [ 168.076049] ? __schedule+0xfc3/0x1ed0 [ 168.079942] __asan_report_load8_noabort+0x14/0x20 [ 168.084873] __schedule+0xfc3/0x1ed0 [ 168.088594] ? __sched_text_start+0x8/0x8 [ 168.092746] ? __lock_is_held+0xb5/0x140 [ 168.096811] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 168.101919] ? find_held_lock+0x36/0x1c0 [ 168.105987] ? __call_srcu+0x7f9/0x1070 [ 168.109961] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 168.115060] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 168.120169] ? lockdep_hardirqs_on+0x421/0x5c0 [ 168.124750] ? preempt_schedule+0x4d/0x60 [ 168.128906] preempt_schedule_common+0x1f/0xd0 [ 168.133494] preempt_schedule+0x4d/0x60 [ 168.137470] ___preempt_schedule+0x16/0x18 [ 168.141713] _raw_spin_unlock_irqrestore+0xbb/0xd0 [ 168.146645] __call_srcu+0x7f9/0x1070 [ 168.150444] ? _raw_spin_unlock_irqrestore+0x6d/0xd0 [ 168.156054] ? srcu_offline_cpu+0x120/0x120 [ 168.160388] ? debug_object_free+0x690/0x690 [ 168.164891] ? mark_held_locks+0x130/0x130 [ 168.169138] ? kvm_arch_destroy_vm+0x414/0x7c0 [ 168.173827] ? lock_release+0x970/0x970 [ 168.177807] ? arch_local_save_flags+0x40/0x40 [ 168.182392] ? depot_save_stack+0x292/0x470 [ 168.186723] ? __lockdep_init_map+0x105/0x590 [ 168.191240] ? __init_waitqueue_head+0x9e/0x150 [ 168.195912] ? init_wait_entry+0x1c0/0x1c0 [ 168.200178] __synchronize_srcu+0x17b/0x230 [ 168.204500] ? call_srcu+0x10/0x10 [ 168.208044] ? rcu_unexpedite_gp+0x20/0x20 [ 168.212288] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 168.217824] ? check_preemption_disabled+0x48/0x200 [ 168.222845] synchronize_srcu+0x356/0x5ab [ 168.226993] ? lock_downgrade+0x900/0x900 [ 168.231154] ? synchronize_srcu_expedited+0x20/0x20 [ 168.236175] ? kasan_check_read+0x11/0x20 [ 168.240324] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 168.244914] ? kasan_check_write+0x14/0x20 [ 168.249153] ? do_raw_spin_lock+0xc1/0x200 [ 168.253401] kvm_page_track_unregister_notifier+0x17d/0x250 [ 168.259124] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 168.264581] ? kvfree+0x61/0x70 [ 168.267865] ? rcu_read_lock_sched_held+0x108/0x120 [ 168.272881] kvm_mmu_uninit_vm+0x1c/0x20 [ 168.276958] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 168.281372] ? kvm_arch_sync_events+0x30/0x30 [ 168.285869] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 168.291409] ? mmu_notifier_unregister+0x474/0x600 [ 168.296345] ? kfree+0x107/0x230 [ 168.299720] ? __mmu_notifier_register+0x30/0x30 [ 168.304478] ? __free_pages+0x10a/0x190 [ 168.308455] ? free_unref_page+0x960/0x960 [ 168.312704] kvm_put_kvm+0x6c8/0xff0 [ 168.316428] ? kvm_write_guest_cached+0x40/0x40 [ 168.321098] ? kvm_irqfd_release+0xd1/0x120 [ 168.325438] ? _raw_spin_unlock_irq+0x27/0x80 [ 168.329941] ? _raw_spin_unlock_irq+0x27/0x80 [ 168.334452] ? kasan_check_write+0x14/0x20 [ 168.338693] ? do_raw_spin_lock+0xc1/0x200 [ 168.342980] ? kvm_irqfd_release+0xdd/0x120 [ 168.347300] ? kvm_irqfd_release+0xdd/0x120 [ 168.351631] ? kvm_put_kvm+0xff0/0xff0 [ 168.355520] kvm_vm_release+0x42/0x50 [ 168.359318] __fput+0x385/0xa30 [ 168.362597] ? get_max_files+0x20/0x20 [ 168.366483] ? trace_hardirqs_on+0xbd/0x310 [ 168.370811] ? ___might_sleep+0x1ed/0x300 [ 168.374958] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 168.380422] ? arch_local_save_flags+0x40/0x40 [ 168.385005] ? kasan_check_write+0x14/0x20 [ 168.389242] ? do_raw_spin_lock+0xc1/0x200 [ 168.393477] ____fput+0x15/0x20 [ 168.396758] task_work_run+0x1e8/0x2a0 [ 168.400645] ? task_work_cancel+0x240/0x240 [ 168.404967] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 168.410508] ? switch_task_namespaces+0x9d/0xd0 [ 168.415180] do_exit+0x1ad7/0x2610 [ 168.418740] ? mm_update_next_owner+0x990/0x990 [ 168.423426] ? kvm_vcpu_ioctl+0x29c/0x1150 [ 168.427673] ? rcu_read_lock_sched_held+0x108/0x120 [ 168.432777] ? kfree+0x1fa/0x230 [ 168.436159] ? kvm_vcpu_ioctl+0x2a1/0x1150 [ 168.440407] ? kvm_vcpu_block+0x1030/0x1030 [ 168.444742] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 168.450292] ? avc_has_extended_perms+0xab2/0x15a0 [ 168.455234] ? fpu__prepare_read+0x3b/0x750 [ 168.459558] ? avc_ss_reset+0x190/0x190 [ 168.463536] ? save_stack+0xa9/0xd0 [ 168.467165] ? save_stack+0x43/0xd0 [ 168.470788] ? __kasan_slab_free+0x102/0x150 [ 168.475199] ? kasan_slab_free+0xe/0x10 [ 168.479175] ? putname+0xf2/0x130 [ 168.482634] ? __x64_sys_openat+0x9d/0x100 [ 168.486878] ? do_syscall_64+0x1b9/0x820 [ 168.490945] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 168.496327] ? ___might_sleep+0x1ed/0x300 [ 168.500478] ? __bpf_trace_initcall_finish+0x2a/0x30 [ 168.505584] ? trace_hardirqs_off+0xb8/0x310 [ 168.510003] ? kvm_vcpu_block+0x1030/0x1030 [ 168.514330] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 168.520039] ? do_vfs_ioctl+0x201/0x1720 [ 168.524101] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 168.529304] ? ioctl_preallocate+0x300/0x300 [ 168.533716] ? selinux_file_mprotect+0x620/0x620 [ 168.538469] ? path_mountpoint+0x34f/0x2190 [ 168.542792] ? rcu_read_lock_sched_held+0x108/0x120 [ 168.547808] ? kmem_cache_free+0x24f/0x290 [ 168.552050] ? putname+0xf7/0x130 [ 168.555511] do_group_exit+0x177/0x440 [ 168.559409] ? trace_hardirqs_on+0xbd/0x310 [ 168.563762] ? __ia32_sys_exit+0x50/0x50 [ 168.567825] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 168.573276] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 168.578815] ? ksys_ioctl+0x81/0xd0 [ 168.582446] __x64_sys_exit_group+0x3e/0x50 [ 168.586772] do_syscall_64+0x1b9/0x820 [ 168.590665] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 168.596030] ? syscall_return_slowpath+0x5e0/0x5e0 [ 168.600959] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 168.605806] ? trace_hardirqs_on_caller+0x310/0x310 [ 168.610824] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 168.615844] ? prepare_exit_to_usermode+0x291/0x3b0 [ 168.620875] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 168.625723] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 168.630914] RIP: 0033:0x43ecd8 [ 168.634116] Code: Bad RIP value. [ 168.637568] RSP: 002b:00007ffdd5cead88 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 168.645275] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ecd8 [ 168.652538] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 168.659830] RBP: 00000000004be588 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 168.667097] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 168.674380] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 168.681666] [ 168.681673] ====================================================== [ 168.681678] WARNING: possible circular locking dependency detected [ 168.681683] 4.19.0-rc3+ #11 Not tainted [ 168.681689] ------------------------------------------------------ [ 168.681694] syz-executor196/5487 is trying to acquire lock: [ 168.681698] 0000000050ec954d ((console_sem).lock){-...}, at: down_trylock+0x13/0x70 [ 168.681715] [ 168.681719] but task is already holding lock: [ 168.681723] 000000004af13575 (report_lock){....}, at: kasan_report+0x8b/0x110 [ 168.681738] [ 168.681743] which lock already depends on the new lock. [ 168.681746] [ 168.681749] [ 168.681754] the existing dependency chain (in reverse order) is: [ 168.681757] [ 168.681760] -> #3 (report_lock){....}: [ 168.681776] _raw_spin_lock_irqsave+0x99/0xd0 [ 168.681780] kasan_report+0x8b/0x110 [ 168.681785] __asan_report_load8_noabort+0x14/0x20 [ 168.681789] __schedule+0xfc3/0x1ed0 [ 168.681794] preempt_schedule_common+0x1f/0xd0 [ 168.681799] preempt_schedule+0x4d/0x60 [ 168.681803] ___preempt_schedule+0x16/0x18 [ 168.681808] _raw_spin_unlock_irqrestore+0xbb/0xd0 [ 168.681812] __call_srcu+0x7f9/0x1070 [ 168.681817] __synchronize_srcu+0x17b/0x230 [ 168.681821] synchronize_srcu+0x356/0x5ab [ 168.681827] kvm_page_track_unregister_notifier+0x17d/0x250 [ 168.681831] kvm_mmu_uninit_vm+0x1c/0x20 [ 168.681836] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 168.681840] kvm_put_kvm+0x6c8/0xff0 [ 168.681844] kvm_vm_release+0x42/0x50 [ 168.681848] __fput+0x385/0xa30 [ 168.681852] ____fput+0x15/0x20 [ 168.681857] task_work_run+0x1e8/0x2a0 [ 168.681861] do_exit+0x1ad7/0x2610 [ 168.681865] do_group_exit+0x177/0x440 [ 168.681870] __x64_sys_exit_group+0x3e/0x50 [ 168.681874] do_syscall_64+0x1b9/0x820 [ 168.681879] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 168.681882] [ 168.681884] -> #2 (&rq->lock){-.-.}: [ 168.681900] _raw_spin_lock+0x2d/0x40 [ 168.681904] task_fork_fair+0xb0/0x6d0 [ 168.681908] sched_fork+0x443/0xba0 [ 168.681913] copy_process+0x2586/0x8780 [ 168.681917] _do_fork+0x1cb/0x11d0 [ 168.681921] kernel_thread+0x34/0x40 [ 168.681925] rest_init+0x22/0xe5 [ 168.681929] start_kernel+0x8f4/0x92f [ 168.681934] x86_64_start_reservations+0x29/0x2b [ 168.681939] x86_64_start_kernel+0x76/0x79 [ 168.681943] secondary_startup_64+0xa4/0xb0 [ 168.681946] [ 168.681948] -> #1 (&p->pi_lock){-.-.}: [ 168.681965] _raw_spin_lock_irqsave+0x99/0xd0 [ 168.681969] try_to_wake_up+0xd2/0x12f0 [ 168.681973] wake_up_process+0x10/0x20 [ 168.681977] __up.isra.1+0x1c0/0x2a0 [ 168.681981] up+0x13c/0x1c0 [ 168.681986] __up_console_sem+0xbe/0x1b0 [ 168.681990] console_unlock+0x524/0x11a0 [ 168.681995] vprintk_emit+0x33d/0x930 [ 168.681999] vprintk_default+0x28/0x30 [ 168.682003] vprintk_func+0x7e/0x181 [ 168.682007] printk+0xa7/0xcf [ 168.682011] load_umh+0x51/0xbd [ 168.682016] do_one_initcall+0x145/0x957 [ 168.682020] kernel_init_freeable+0x4bb/0x5ae [ 168.682024] kernel_init+0x11/0x1b2 [ 168.682029] ret_from_fork+0x3a/0x50 [ 168.682031] [ 168.682034] -> #0 ((console_sem).lock){-...}: [ 168.682050] lock_acquire+0x1ed/0x520 [ 168.682055] _raw_spin_lock_irqsave+0x99/0xd0 [ 168.682059] down_trylock+0x13/0x70 [ 168.682064] __down_trylock_console_sem+0xae/0x200 [ 168.682068] console_trylock+0x15/0xa0 [ 168.682072] vprintk_emit+0x322/0x930 [ 168.682077] vprintk_default+0x28/0x30 [ 168.682081] vprintk_func+0x7e/0x181 [ 168.682085] printk+0xa7/0xcf [ 168.682089] kasan_report+0x9b/0x110 [ 168.682094] __asan_report_load8_noabort+0x14/0x20 [ 168.682098] __schedule+0xfc3/0x1ed0 [ 168.682103] preempt_schedule_common+0x1f/0xd0 [ 168.682116] preempt_schedule+0x4d/0x60 [ 168.682121] ___preempt_schedule+0x16/0x18 [ 168.682126] _raw_spin_unlock_irqrestore+0xbb/0xd0 [ 168.682136] __call_srcu+0x7f9/0x1070 [ 168.682141] __synchronize_srcu+0x17b/0x230 [ 168.682145] synchronize_srcu+0x356/0x5ab [ 168.682150] kvm_page_track_unregister_notifier+0x17d/0x250 [ 168.682155] kvm_mmu_uninit_vm+0x1c/0x20 [ 168.682160] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 168.682164] kvm_put_kvm+0x6c8/0xff0 [ 168.682168] kvm_vm_release+0x42/0x50 [ 168.682172] __fput+0x385/0xa30 [ 168.682176] ____fput+0x15/0x20 [ 168.682180] task_work_run+0x1e8/0x2a0 [ 168.682184] do_exit+0x1ad7/0x2610 [ 168.682189] do_group_exit+0x177/0x440 [ 168.682193] __x64_sys_exit_group+0x3e/0x50 [ 168.682198] do_syscall_64+0x1b9/0x820 [ 168.682203] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 168.682205] [ 168.682210] other info that might help us debug this: [ 168.682213] [ 168.682216] Chain exists of: [ 168.682218] (console_sem).lock --> &rq->lock --> report_lock [ 168.682239] [ 168.682243] Possible unsafe locking scenario: [ 168.682246] [ 168.682250] CPU0 CPU1 [ 168.682255] ---- ---- [ 168.682257] lock(report_lock); [ 168.682267] lock(&rq->lock); [ 168.682278] lock(report_lock); [ 168.682286] lock((console_sem).lock); [ 168.682295] [ 168.682299] *** DEADLOCK *** [ 168.682301] [ 168.682306] 2 locks held by syz-executor196/5487: [ 168.682309] #0: 00000000e69d68b3 (&rq->lock){-.-.}, at: __schedule+0x236/0x1ed0 [ 168.682327] #1: 000000004af13575 (report_lock){....}, at: kasan_report+0x8b/0x110 [ 168.682346] [ 168.682349] stack backtrace: [ 168.682356] CPU: 0 PID: 5487 Comm: syz-executor196 Not tainted 4.19.0-rc3+ #11 [ 168.682364] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 168.682367] Call Trace: [ 168.682371] dump_stack+0x1c4/0x2b4 [ 168.682376] ? dump_stack_print_info.cold.2+0x52/0x52 [ 168.682381] ? vprintk_func+0x85/0x181 [ 168.682386] print_circular_bug.isra.33.cold.54+0x1bd/0x27d [ 168.682390] ? save_trace+0xe0/0x290 [ 168.682394] __lock_acquire+0x33e4/0x4ec0 [ 168.682399] ? mark_held_locks+0x130/0x130 [ 168.682403] ? mark_held_locks+0x130/0x130 [ 168.682408] ? rcu_bh_qs+0xc0/0xc0 [ 168.682412] ? unwind_dump+0x190/0x190 [ 168.682417] ? is_bpf_text_address+0xd3/0x170 [ 168.682421] ? kernel_text_address+0x79/0xf0 [ 168.682426] ? __kernel_text_address+0xd/0x40 [ 168.682431] ? __save_stack_trace+0x8d/0xf0 [ 168.682436] ? add_lock_to_list.isra.26+0x1ec/0x4b0 [ 168.682440] ? save_trace+0x290/0x290 [ 168.682444] ? save_stack_trace+0x1a/0x20 [ 168.682449] ? save_trace+0xe0/0x290 [ 168.682453] ? kasan_check_read+0x11/0x20 [ 168.682458] ? graph_lock+0x170/0x170 [ 168.682463] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 168.682467] lock_acquire+0x1ed/0x520 [ 168.682471] ? down_trylock+0x13/0x70 [ 168.682476] ? find_held_lock+0x36/0x1c0 [ 168.682480] ? lock_release+0x970/0x970 [ 168.682485] ? trace_hardirqs_off+0xb8/0x310 [ 168.682489] ? vprintk_emit+0x1d3/0x930 [ 168.682494] ? trace_hardirqs_on+0x310/0x310 [ 168.682498] ? trace_hardirqs_off+0xb8/0x310 [ 168.682503] ? log_store+0x344/0x4c0 [ 168.682507] ? vprintk_emit+0x322/0x930 [ 168.682512] _raw_spin_lock_irqsave+0x99/0xd0 [ 168.682516] ? down_trylock+0x13/0x70 [ 168.682520] down_trylock+0x13/0x70 [ 168.682525] __down_trylock_console_sem+0xae/0x200 [ 168.682529] console_trylock+0x15/0xa0 [ 168.682533] vprintk_emit+0x322/0x930 [ 168.682538] ? wake_up_klogd+0x180/0x180 [ 168.682542] ? run_rebalance_domains+0x500/0x500 [ 168.682547] ? wake_up_worker+0x117/0x190 [ 168.682551] ? find_held_lock+0x36/0x1c0 [ 168.682556] ? __queue_work+0x6be/0x1440 [ 168.682560] ? lock_acquire+0x1ed/0x520 [ 168.682564] vprintk_default+0x28/0x30 [ 168.682569] vprintk_func+0x7e/0x181 [ 168.682572] printk+0xa7/0xcf [ 168.682577] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 168.682582] ? kasan_check_write+0x14/0x20 [ 168.682586] ? do_raw_spin_lock+0xc1/0x200 [ 168.682591] ? do_raw_spin_lock+0xc1/0x200 [ 168.682595] kasan_report+0x9b/0x110 [ 168.682599] ? __schedule+0xfc3/0x1ed0 [ 168.682604] __asan_report_load8_noabort+0x14/0x20 [ 168.682608] __schedule+0xfc3/0x1ed0 [ 168.682613] ? __sched_text_start+0x8/0x8 [ 168.682617] ? __lock_is_held+0xb5/0x140 [ 168.682622] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 168.682627] ? find_held_lock+0x36/0x1c0 [ 168.682631] ? __call_srcu+0x7f9/0x1070 [ 168.682636] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 168.682642] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 168.682646] ? lockdep_hardirqs_on+0x421/0x5c0 [ 168.682651] ? preempt_schedule+0x4d/0x60 [ 168.682655] preempt_schedule_common+0x1f/0xd0 [ 168.682660] preempt_schedule+0x4d/0x60 [ 168.682664] ___preempt_schedule+0x16/0x18 [ 168.682669] _raw_spin_unlock_irqrestore+0xbb/0xd0 [ 168.682673] __call_srcu+0x7f9/0x1070 [ 168.682678] ? _raw_spin_unlock_irqrestore+0x6d/0xd0 [ 168.682683] ? srcu_offline_cpu+0x120/0x120 [ 168.682688] ? debug_object_free+0x690/0x690 [ 168.682692] ? mark_held_locks+0x130/0x130 [ 168.682697] ? kvm_arch_destroy_vm+0x414/0x7c0 [ 168.682701] ? lock_release+0x970/0x970 [ 168.682706] ? arch_local_save_flags+0x40/0x40 [ 168.682710] ? depot_save_stack+0x292/0x470 [ 168.682715] ? __lockdep_init_map+0x105/0x590 [ 168.682720] ? __init_waitqueue_head+0x9e/0x150 [ 168.682724] ? init_wait_entry+0x1c0/0x1c0 [ 168.682729] __synchronize_srcu+0x17b/0x230 [ 168.682733] ? call_srcu+0x10/0x10 [ 168.682738] ? rcu_unexpedite_gp+0x20/0x20 [ 168.682743] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 168.682748] ? check_preemption_disabled+0x48/0x200 [ 168.682752] synchronize_srcu+0x356/0x5ab [ 168.682757] ? lock_downgrade+0x900/0x900 [ 168.682762] ? synchronize_srcu_expedited+0x20/0x20 [ 168.682767] ? kasan_check_read+0x11/0x20 [ 168.682771] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 168.682776] ? kasan_check_write+0x14/0x20 [ 168.682780] ? do_raw_spin_lock+0xc1/0x200 [ 168.682786] kvm_page_track_unregister_notifier+0x17d/0x250 [ 168.682791] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 168.682795] ? kvfree+0x61/0x70 [ 168.682800] ? rcu_read_lock_sched_held+0x108/0x120 [ 168.682804] kvm_mmu_uninit_vm+0x1c/0x20 [ 168.682809] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 168.682814] ? kvm_arch_sync_events+0x30/0x30 [ 168.682819] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 168.682824] ? mmu_notifier_unregister+0x474/0x600 [ 168.682828] ? kfree+0x107/0x230 [ 168.682833] ? __mmu_notifier_register+0x30/0x30 [ 168.682837] ? __free_pages+0x10a/0x190 [ 168.682842] ? free_unref_page+0x960/0x960 [ 168.682846] kvm_put_kvm+0x6c8/0xff0 [ 168.682851] ? kvm_write_guest_cached+0x40/0x40 [ 168.682856] ? kvm_irqfd_release+0xd1/0x120 [ 168.682860] ? _raw_spin_unlock_irq+0x27/0x80 [ 168.682865] ? _raw_spin_unlock_irq+0x27/0x80 [ 168.682869] ? kasan_check_write+0x14/0x20 [ 168.682874] ? do_raw_spin_lock+0xc1/0x200 [ 168.682878] ? kvm_irqfd_release+0xdd [ 168.682887] Lost 73 message(s)! [ 169.848837] Shutting down cpus with NMI [ 170.907636] Kernel Offset: disabled [ 170.911265] Rebooting in 86400 seconds..