[   40.393334] audit: type=1800 audit(1572414058.330:30): pid=7372 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2490 res=0
[   40.434501] audit: type=1800 audit(1572414058.340:31): pid=7372 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2469 res=0
Starting mcstransd: 
[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.10.25' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   50.181613] kauditd_printk_skb: 4 callbacks suppressed
[   50.181636] audit: type=1400 audit(1572414068.150:36): avc:  denied  { map } for  pid=7559 comm="syz-executor873" path="/root/syz-executor873622286" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
executing program
executing program
[   55.194983] ------------[ cut here ]------------
[   55.200862] ODEBUG: free active (active state 0) object type: timer_list hint: rfcomm_dlc_timeout+0x0/0x80
[   55.211234] WARNING: CPU: 1 PID: 7562 at lib/debugobjects.c:325 debug_print_object+0x168/0x250
[   55.220110] Kernel panic - not syncing: panic_on_warn set ...
[   55.220110] 
[   55.227531] CPU: 1 PID: 7562 Comm: syz-executor873 Not tainted 4.19.81 #0
[   55.234605] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   55.244429] Call Trace:
[   55.247596]  dump_stack+0x172/0x1f0
[   55.251287]  panic+0x26a/0x50e
[   55.254632]  ? __warn_printk+0xf3/0xf3
[   55.258547]  ? debug_print_object+0x168/0x250
[   55.263047]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   55.268596]  ? __warn.cold+0x5/0x53
[   55.272230]  ? __warn+0xe8/0x1d0
[   55.275609]  ? debug_print_object+0x168/0x250
[   55.280094]  __warn.cold+0x20/0x53
[   55.283620]  ? trace_hardirqs_off+0x62/0x220
[   55.288017]  ? debug_print_object+0x168/0x250
[   55.292513]  report_bug+0x263/0x2b0
[   55.296131]  do_error_trap+0x204/0x360
[   55.300064]  ? math_error+0x340/0x340
[   55.303855]  ? wake_up_klogd+0x99/0xd0
[   55.307735]  ? vprintk_emit+0x1ab/0x690
[   55.311703]  ? error_entry+0x7c/0xe0
[   55.315418]  ? trace_hardirqs_off_caller+0x65/0x220
[   55.320424]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   55.325269]  do_invalid_op+0x1b/0x20
[   55.328969]  invalid_op+0x14/0x20
[   55.332413] RIP: 0010:debug_print_object+0x168/0x250
[   55.337664] Code: dd a0 4b 82 87 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 b5 00 00 00 48 8b 14 dd a0 4b 82 87 48 c7 c7 e0 40 82 87 e8 66 28 1a fe <0f> 0b 83 05 4b f5 18 06 01 48 83 c4 20 5b 41 5c 41 5d 41 5e 5d c3
[   55.357553] RSP: 0018:ffff88808a49f8d8 EFLAGS: 00010086
[   55.362919] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000
[   55.370664] RDX: 0000000000000000 RSI: ffffffff81553f06 RDI: ffffed1011493f0d
[   55.378130] RBP: ffff88808a49f918 R08: ffff888097cbe640 R09: ffffed1015d23ee3
[   55.385542] R10: ffffed1015d23ee2 R11: ffff8880ae91f717 R12: 0000000000000001
[   55.392946] R13: ffffffff887aaac0 R14: ffffffff815ab490 R15: ffff88808fc9d5a8
[   55.400222]  ? __internal_add_timer+0x1f0/0x1f0
[   55.404997]  ? vprintk_func+0x86/0x189
[   55.409688]  ? debug_print_object+0x168/0x250
[   55.414462]  debug_check_no_obj_freed+0x29f/0x464
[   55.419327]  kfree+0xbd/0x220
[   55.422453]  rfcomm_dlc_free+0x20/0x30
[   55.426516]  rfcomm_dev_ioctl+0x181f/0x1b60
[   55.430969]  ? __local_bh_enable_ip+0x15a/0x270
[   55.435651]  ? lock_sock_nested+0xe2/0x120
[   55.439964]  ? __local_bh_enable_ip+0x15a/0x270
[   55.445008]  ? rfcomm_dev_state_change+0x150/0x150
[   55.451213]  ? __local_bh_enable_ip+0x15a/0x270
[   55.456072]  rfcomm_sock_ioctl+0x90/0xb0
[   55.460239]  sock_do_ioctl+0xd8/0x2f0
[   55.464079]  ? compat_ifr_data_ioctl+0x160/0x160
[   55.468946]  ? __lock_acquire+0x6ee/0x49c0
[   55.473185]  ? rcu_read_lock_sched_held+0x110/0x130
[   55.478222]  ? kmem_cache_alloc+0x32a/0x700
[   55.482557]  sock_ioctl+0x325/0x610
[   55.486199]  ? dlci_ioctl_set+0x40/0x40
[   55.490170]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   55.495710]  ? __might_sleep+0x95/0x190
[   55.499676]  ? find_held_lock+0x35/0x130
[   55.503743]  ? dlci_ioctl_set+0x40/0x40
[   55.507718]  do_vfs_ioctl+0xd5f/0x1380
[   55.511621]  ? selinux_file_ioctl+0x46f/0x5e0
[   55.516126]  ? selinux_file_ioctl+0x125/0x5e0
[   55.520629]  ? ioctl_preallocate+0x210/0x210
[   55.525047]  ? selinux_file_mprotect+0x620/0x620
[   55.530052]  ? __sanitizer_cov_trace_cmp1+0xb/0x20
[   55.535099]  ? __fd_install+0x200/0x640
[   55.539159]  ? fd_install+0x4d/0x60
[   55.542808]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   55.548357]  ? security_file_ioctl+0x8d/0xc0
[   55.552768]  ksys_ioctl+0xab/0xd0
[   55.556227]  __x64_sys_ioctl+0x73/0xb0
[   55.560108]  do_syscall_64+0xfd/0x620
[   55.565047]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   55.570243] RIP: 0033:0x441229
[   55.573431] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   55.592472] RSP: 002b:00007ffdece66c98 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   55.600188] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441229
[   55.607468] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000004
[   55.615275] RBP: 000000000000d77e R08: 00000000004002c8 R09: 00000000004002c8
[   55.622552] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402050
[   55.629890] R13: 00000000004020e0 R14: 0000000000000000 R15: 0000000000000000
[   55.637298] 
[   55.637302] ======================================================
[   55.637305] WARNING: possible circular locking dependency detected
[   55.637307] 4.19.81 #0 Not tainted
[   55.637311] ------------------------------------------------------
[   55.637314] syz-executor873/7562 is trying to acquire lock:
[   55.637375] 00000000b90dc6c0 ((console_sem).lock){-.-.}, at: down_trylock+0x13/0x70
[   55.637387] 
[   55.637389] but task is already holding lock:
[   55.637391] 00000000bda1ad4b (&obj_hash[i].lock){-.-.}, at: debug_check_no_obj_freed+0xbe/0x464
[   55.637400] 
[   55.637403] which lock already depends on the new lock.
[   55.637404] 
[   55.637406] 
[   55.637409] the existing dependency chain (in reverse order) is:
[   55.637410] 
[   55.637412] -> #3 (&obj_hash[i].lock){-.-.}:
[   55.637420]        _raw_spin_lock_irqsave+0x95/0xcd
[   55.637423]        __debug_object_init+0xc6/0xc30
[   55.637426]        debug_object_init+0x16/0x20
[   55.637428]        hrtimer_init+0x2a/0x300
[   55.637431]        init_dl_task_timer+0x1b/0x50
[   55.637433]        __sched_fork+0x22a/0x4b0
[   55.637435]        init_idle+0x75/0x800
[   55.637437]        sched_init+0x952/0x9f0
[   55.637440]        start_kernel+0x402/0x8c5
[   55.637443]        x86_64_start_reservations+0x29/0x2b
[   55.637445]        x86_64_start_kernel+0x77/0x7b
[   55.637448]        secondary_startup_64+0xa4/0xb0
[   55.637449] 
[   55.637450] -> #2 (&rq->lock){-.-.}:
[   55.637459]        _raw_spin_lock+0x2f/0x40
[   55.637461]        task_fork_fair+0x6a/0x520
[   55.637463]        sched_fork+0x3af/0x900
[   55.637466]        copy_process.part.0+0x1859/0x7a30
[   55.637468]        _do_fork+0x257/0xfd0
[   55.637470]        kernel_thread+0x34/0x40
[   55.637473]        rest_init+0x24/0x222
[   55.637475]        start_kernel+0x88c/0x8c5
[   55.637478]        x86_64_start_reservations+0x29/0x2b
[   55.637480]        x86_64_start_kernel+0x77/0x7b
[   55.637483]        secondary_startup_64+0xa4/0xb0
[   55.637484] 
[   55.637485] -> #1 (&p->pi_lock){-.-.}:
[   55.637494]        _raw_spin_lock_irqsave+0x95/0xcd
[   55.637496]        try_to_wake_up+0x94/0xf50
[   55.637498]        wake_up_process+0x10/0x20
[   55.637501]        __up.isra.0+0x136/0x1a0
[   55.637503]        up+0x9c/0xe0
[   55.637505]        __up_console_sem+0xb7/0x1c0
[   55.637508]        console_unlock+0x6c7/0x10b0
[   55.637510]        vprintk_emit+0x238/0x690
[   55.637513]        vprintk_default+0x28/0x30
[   55.637515]        vprintk_func+0x7e/0x189
[   55.637517]        printk+0xba/0xed
[   55.637520]        kauditd_hold_skb.cold+0x3f/0x4e
[   55.637522]        kauditd_send_queue+0x12b/0x170
[   55.637525]        kauditd_thread+0x732/0xa60
[   55.637527]        kthread+0x354/0x420
[   55.637529]        ret_from_fork+0x24/0x30
[   55.637530] 
[   55.637532] -> #0 ((console_sem).lock){-.-.}:
[   55.637540]        lock_acquire+0x16f/0x3f0
[   55.637543]        _raw_spin_lock_irqsave+0x95/0xcd
[   55.637545]        down_trylock+0x13/0x70
[   55.637548]        __down_trylock_console_sem+0xa8/0x210
[   55.637550]        console_trylock+0x15/0xa0
[   55.637553]        vprintk_emit+0x21d/0x690
[   55.637555]        vprintk_default+0x28/0x30
[   55.637557]        vprintk_func+0x7e/0x189
[   55.637559]        printk+0xba/0xed
[   55.637562]        __warn_printk+0x9b/0xf3
[   55.637564]        debug_print_object+0x168/0x250
[   55.637567]        debug_check_no_obj_freed+0x29f/0x464
[   55.637569]        kfree+0xbd/0x220
[   55.637572]        rfcomm_dlc_free+0x20/0x30
[   55.637575]        rfcomm_dev_ioctl+0x181f/0x1b60
[   55.637577]        rfcomm_sock_ioctl+0x90/0xb0
[   55.637580]        sock_do_ioctl+0xd8/0x2f0
[   55.637582]        sock_ioctl+0x325/0x610
[   55.637584]        do_vfs_ioctl+0xd5f/0x1380
[   55.637587]        ksys_ioctl+0xab/0xd0
[   55.637589]        __x64_sys_ioctl+0x73/0xb0
[   55.637592]        do_syscall_64+0xfd/0x620
[   55.637595]        entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   55.637596] 
[   55.637599] other info that might help us debug this:
[   55.637600] 
[   55.637602] Chain exists of:
[   55.637603]   (console_sem).lock --> &rq->lock --> &obj_hash[i].lock
[   55.637613] 
[   55.637616]  Possible unsafe locking scenario:
[   55.637617] 
[   55.637620]        CPU0                    CPU1
[   55.637622]        ----                    ----
[   55.637623]   lock(&obj_hash[i].lock);
[   55.637629]                                lock(&rq->lock);
[   55.637634]                                lock(&obj_hash[i].lock);
[   55.637639]   lock((console_sem).lock);
[   55.637644] 
[   55.637646]  *** DEADLOCK ***
[   55.637647] 
[   55.637649] 3 locks held by syz-executor873/7562:
[   55.637651]  #0: 00000000136d202c (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}, at: rfcomm_sock_ioctl+0x82/0xb0
[   55.637662]  #1: 0000000033a9534c (rfcomm_ioctl_mutex){+.+.}, at: rfcomm_dev_ioctl+0x4f0/0x1b60
[   55.637672]  #2: 00000000bda1ad4b (&obj_hash[i].lock){-.-.}, at: debug_check_no_obj_freed+0xbe/0x464
[   55.637682] 
[   55.637684] stack backtrace:
[   55.637688] CPU: 1 PID: 7562 Comm: syz-executor873 Not tainted 4.19.81 #0
[   55.637692] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   55.637694] Call Trace:
[   55.637696]  dump_stack+0x172/0x1f0
[   55.637699]  print_circular_bug.isra.0.cold+0x1cc/0x28f
[   55.637701]  __lock_acquire+0x2e19/0x49c0
[   55.637704]  ? mark_held_locks+0x100/0x100
[   55.637706]  ? kvm_clock_read+0x18/0x30
[   55.637709]  ? kvm_sched_clock_read+0x9/0x20
[   55.637711]  lock_acquire+0x16f/0x3f0
[   55.637713]  ? down_trylock+0x13/0x70
[   55.637716]  _raw_spin_lock_irqsave+0x95/0xcd
[   55.637718]  ? down_trylock+0x13/0x70
[   55.637720]  ? vprintk_emit+0x21d/0x690
[   55.637722]  down_trylock+0x13/0x70
[   55.637725]  ? vprintk_emit+0x21d/0x690
[   55.637727]  __down_trylock_console_sem+0xa8/0x210
[   55.637730]  console_trylock+0x15/0xa0
[   55.637732]  vprintk_emit+0x21d/0x690
[   55.637735]  ? __internal_add_timer+0x1f0/0x1f0
[   55.637737]  vprintk_default+0x28/0x30
[   55.637739]  vprintk_func+0x7e/0x189
[   55.637741]  printk+0xba/0xed
[   55.637744]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   55.637746]  ? __warn_printk+0x8f/0xf3
[   55.637749]  ? rfcomm_session_add+0x300/0x300
[   55.637751]  __warn_printk+0x9b/0xf3
[   55.637753]  ? add_taint.cold+0x16/0x16
[   55.637756]  ? skb_dequeue+0x12e/0x180
[   55.637758]  ? rfcomm_session_add+0x300/0x300
[   55.637761]  debug_print_object+0x168/0x250
[   55.637763]  debug_check_no_obj_freed+0x29f/0x464
[   55.637765]  kfree+0xbd/0x220
[   55.637768]  rfcomm_dlc_free+0x20/0x30
[   55.637770]  rfcomm_dev_ioctl+0x181f/0x1b60
[   55.637773]  ? __local_bh_enable_ip+0x15a/0x270
[   55.637775]  ? lock_sock_nested+0xe2/0x120
[   55.637778]  ? __local_bh_enable_ip+0x15a/0x270
[   55.637780]  ? rfcomm_dev_state_change+0x150/0x150
[   55.637783]  ? __local_bh_enable_ip+0x15a/0x270
[   55.637785]  rfcomm_sock_ioctl+0x90/0xb0
[   55.637788]  sock_do_ioctl+0xd8/0x2f0
[   55.637790]  ? compat_ifr_data_ioctl+0x160/0x160
[   55.637793]  ? __lock_acquire+0x6ee/0x49c0
[   55.637796]  ? rcu_read_lock_sched_held+0x110/0x130
[   55.637799]  ? kmem_cache_alloc+0x32a/0x700
[   55.637802]  sock_ioctl+0x325/0x610
[   55.637804]  ? dlci_ioctl_set+0x40/0x40
[   55.637807]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   55.637809]  ? __might_sleep+0x95/0x190
[   55.637812]  ? find_held_lock+0x35/0x130
[   55.637814]  ? dlci_ioctl_set+0x40/0x40
[   55.637817]  do_vfs_ioctl+0xd5f/0x1380
[   55.637819]  ? selinux_file_ioctl+0x46f/0x5e0
[   55.637822]  ? selinux_file_ioctl+0x125/0x5e0
[   55.637824]  ? ioctl_preallocate+0x210/0x210
[   55.637827]  ? selinux_file_mprotect+0x620/0x620
[   55.637830]  ? __sanitizer_cov_trace_cmp1+0xb/0x20
[   55.637833]  ? __fd_install+0x200/0x640
[   55.637835]  ? fd_install+0x4d/0x60
[   55.637838]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   55.637841]  ? security_file_ioctl+0x8d/0xc0
[   55.637859]  ksys_ioctl+0xab/0xd0
[   55.637861]  __x64_sys_ioctl+0x73/0xb0
[   55.637863]  do_syscall_64+0xfd/0x620
[   55.637866]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   55.637868] RIP: 0033:0x441229
[   55.637878] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   55.637880] RSP: 002b:00007ffdece66c98 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   55.637887] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441229
[   55.637890] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000004
[   55.637894] RBP: 000000000000d77e R08: 00000000004002c8 R09: 00000000004002c8
[   55.637898] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402050
[   55.637902] R13: 00000000004020e0 R14: 0000000000000000 R15: 0000000000000000
[   55.639463] Kernel Offset: disabled
[   56.485123] Rebooting in 86400 seconds..