Warning: Permanently added '10.128.0.24' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 49.316356] kauditd_printk_skb: 2 callbacks suppressed [ 49.316371] audit: type=1400 audit(1568103096.043:36): avc: denied { map } for pid=7564 comm="syz-executor566" path="/root/syz-executor566629271" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 54.326496] ------------[ cut here ]------------ [ 54.332205] ODEBUG: free active (active state 0) object type: timer_list hint: rfcomm_dlc_timeout+0x0/0x80 [ 54.342231] WARNING: CPU: 0 PID: 7567 at lib/debugobjects.c:325 debug_print_object+0x168/0x250 [ 54.351099] Kernel panic - not syncing: panic_on_warn set ... [ 54.351099] [ 54.358443] CPU: 0 PID: 7567 Comm: syz-executor566 Not tainted 4.19.71 #0 [ 54.365354] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.374739] Call Trace: [ 54.377326] dump_stack+0x172/0x1f0 [ 54.380938] panic+0x263/0x507 [ 54.384116] ? __warn_printk+0xf3/0xf3 [ 54.387988] ? debug_print_object+0x168/0x250 [ 54.392467] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.397985] ? __warn.cold+0x5/0x4a [ 54.401590] ? __warn+0xe8/0x1d0 [ 54.404939] ? debug_print_object+0x168/0x250 [ 54.409412] __warn.cold+0x20/0x4a [ 54.412934] ? trace_hardirqs_off+0x62/0x220 [ 54.417322] ? debug_print_object+0x168/0x250 [ 54.421811] report_bug+0x263/0x2b0 [ 54.425428] do_error_trap+0x204/0x360 [ 54.429309] ? math_error+0x340/0x340 [ 54.433091] ? wake_up_klogd+0x99/0xd0 [ 54.436956] ? vprintk_emit+0x1ab/0x690 [ 54.440910] ? error_entry+0x7c/0xe0 [ 54.444606] ? trace_hardirqs_off_caller+0x65/0x220 [ 54.449605] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 54.454428] do_invalid_op+0x1b/0x20 [ 54.458125] invalid_op+0x14/0x20 [ 54.461558] RIP: 0010:debug_print_object+0x168/0x250 [ 54.466654] Code: dd a0 56 82 87 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 b5 00 00 00 48 8b 14 dd a0 56 82 87 48 c7 c7 e0 4b 82 87 e8 06 1c 19 fe <0f> 0b 83 05 7b 95 17 06 01 48 83 c4 20 5b 41 5c 41 5d 41 5e 5d c3 [ 54.485533] RSP: 0018:ffff8880a092f8d8 EFLAGS: 00010086 [ 54.490875] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000 [ 54.498125] RDX: 0000000000000000 RSI: ffffffff8155df16 RDI: ffffed1014125f0d [ 54.505375] RBP: ffff8880a092f918 R08: ffff88809325c300 R09: ffffed1015d03ee3 [ 54.512626] R10: ffffed1015d03ee2 R11: ffff8880ae81f717 R12: 0000000000000001 [ 54.519877] R13: ffffffff887ac600 R14: ffffffff815b54a0 R15: ffff8880a454f7e8 [ 54.527133] ? __internal_add_timer+0x1f0/0x1f0 [ 54.531784] ? vprintk_func+0x86/0x189 [ 54.535664] ? debug_print_object+0x168/0x250 [ 54.540140] debug_check_no_obj_freed+0x29f/0x464 [ 54.544968] kfree+0xbd/0x220 [ 54.548056] rfcomm_dlc_free+0x20/0x30 [ 54.551925] rfcomm_dev_ioctl+0x181f/0x1b60 [ 54.556229] ? __local_bh_enable_ip+0x15a/0x270 [ 54.560878] ? lock_sock_nested+0xe2/0x120 [ 54.565094] ? __local_bh_enable_ip+0x15a/0x270 [ 54.569747] ? rfcomm_dev_state_change+0x150/0x150 [ 54.574663] ? __local_bh_enable_ip+0x15a/0x270 [ 54.579314] rfcomm_sock_ioctl+0x90/0xb0 [ 54.583359] sock_do_ioctl+0xd8/0x2f0 [ 54.587142] ? compat_ifr_data_ioctl+0x160/0x160 [ 54.591889] ? kasan_check_read+0x11/0x20 [ 54.596016] ? do_raw_spin_unlock+0x57/0x270 [ 54.600406] ? do_wp_page+0x585/0x10b0 [ 54.604274] ? finish_mkwrite_fault+0x4f0/0x4f0 [ 54.608924] sock_ioctl+0x325/0x610 [ 54.612670] ? dlci_ioctl_set+0x40/0x40 [ 54.616634] ? __handle_mm_fault+0x7d1/0x3f80 [ 54.621126] ? __might_sleep+0x95/0x190 [ 54.625081] ? dlci_ioctl_set+0x40/0x40 [ 54.629040] do_vfs_ioctl+0xd5f/0x1380 [ 54.632909] ? selinux_file_ioctl+0x46f/0x5e0 [ 54.637386] ? selinux_file_ioctl+0x125/0x5e0 [ 54.641862] ? ioctl_preallocate+0x210/0x210 [ 54.646249] ? selinux_file_mprotect+0x620/0x620 [ 54.650988] ? migration_entry_to_page+0x1d8/0x320 [ 54.655898] ? write_comp_data+0x2b/0x70 [ 54.659940] ? up_read+0x1a/0x110 [ 54.663431] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.668973] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.674496] ? security_file_ioctl+0x8d/0xc0 [ 54.678889] ksys_ioctl+0xab/0xd0 [ 54.682327] __x64_sys_ioctl+0x73/0xb0 [ 54.686200] do_syscall_64+0xfd/0x620 [ 54.689985] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.695154] RIP: 0033:0x441229 [ 54.698337] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 54.717219] RSP: 002b:00007ffedc810a28 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 54.724921] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441229 [ 54.732173] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000003 [ 54.739428] RBP: 000000000000d40e R08: 00000000004002c8 R09: 00000000004002c8 [ 54.746678] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402050 [ 54.753941] R13: 00000000004020e0 R14: 0000000000000000 R15: 0000000000000000 [ 54.761206] [ 54.761210] ====================================================== [ 54.761213] WARNING: possible circular locking dependency detected [ 54.761215] 4.19.71 #0 Not tainted [ 54.761218] ------------------------------------------------------ [ 54.761221] syz-executor566/7567 is trying to acquire lock: [ 54.761223] 0000000074ca50f0 ((console_sem).lock){-...}, at: down_trylock+0x13/0x70 [ 54.761232] [ 54.761234] but task is already holding lock: [ 54.761236] 000000001931ee06 (&obj_hash[i].lock){-.-.}, at: debug_check_no_obj_freed+0xbe/0x464 [ 54.761244] [ 54.761247] which lock already depends on the new lock. [ 54.761248] [ 54.761250] [ 54.761253] the existing dependency chain (in reverse order) is: [ 54.761254] [ 54.761255] -> #3 (&obj_hash[i].lock){-.-.}: [ 54.761264] _raw_spin_lock_irqsave+0x95/0xcd [ 54.761266] __debug_object_init+0xc6/0xc30 [ 54.761269] debug_object_init+0x16/0x20 [ 54.761271] hrtimer_init+0x2a/0x300 [ 54.761273] init_dl_task_timer+0x1b/0x50 [ 54.761275] __sched_fork+0x22a/0x4b0 [ 54.761278] init_idle+0x75/0x800 [ 54.761280] sched_init+0x952/0x9f0 [ 54.761282] start_kernel+0x402/0x8c5 [ 54.761284] x86_64_start_reservations+0x29/0x2b [ 54.761287] x86_64_start_kernel+0x77/0x7b [ 54.761289] secondary_startup_64+0xa4/0xb0 [ 54.761291] [ 54.761292] -> #2 (&rq->lock){-.-.}: [ 54.761300] _raw_spin_lock+0x2f/0x40 [ 54.761302] task_fork_fair+0x6a/0x520 [ 54.761305] sched_fork+0x3af/0x900 [ 54.761308] copy_process.part.0+0x1859/0x7a30 [ 54.761310] _do_fork+0x257/0xfd0 [ 54.761312] kernel_thread+0x34/0x40 [ 54.761314] rest_init+0x24/0x222 [ 54.761317] start_kernel+0x88c/0x8c5 [ 54.761319] x86_64_start_reservations+0x29/0x2b [ 54.761322] x86_64_start_kernel+0x77/0x7b [ 54.761324] secondary_startup_64+0xa4/0xb0 [ 54.761325] [ 54.761327] -> #1 (&p->pi_lock){-.-.}: [ 54.761335] _raw_spin_lock_irqsave+0x95/0xcd [ 54.761337] try_to_wake_up+0x94/0xf50 [ 54.761339] wake_up_process+0x10/0x20 [ 54.761342] __up.isra.0+0x136/0x1a0 [ 54.761344] up+0x9c/0xe0 [ 54.761346] __up_console_sem+0xb7/0x1c0 [ 54.761348] console_unlock+0x6c7/0x10b0 [ 54.761350] vprintk_emit+0x238/0x690 [ 54.761353] vprintk_default+0x28/0x30 [ 54.761355] vprintk_func+0x7e/0x189 [ 54.761357] printk+0xba/0xed [ 54.761359] kauditd_hold_skb.cold+0x3f/0x4e [ 54.761362] kauditd_send_queue+0x12b/0x170 [ 54.761364] kauditd_thread+0x732/0xa60 [ 54.761366] kthread+0x354/0x420 [ 54.761368] ret_from_fork+0x24/0x30 [ 54.761370] [ 54.761371] -> #0 ((console_sem).lock){-...}: [ 54.761379] lock_acquire+0x16f/0x3f0 [ 54.761381] _raw_spin_lock_irqsave+0x95/0xcd [ 54.761384] down_trylock+0x13/0x70 [ 54.761386] __down_trylock_console_sem+0xa8/0x210 [ 54.761389] console_trylock+0x15/0xa0 [ 54.761391] vprintk_emit+0x21d/0x690 [ 54.761393] vprintk_default+0x28/0x30 [ 54.761395] vprintk_func+0x7e/0x189 [ 54.761397] printk+0xba/0xed [ 54.761399] __warn_printk+0x9b/0xf3 [ 54.761402] debug_print_object+0x168/0x250 [ 54.761404] debug_check_no_obj_freed+0x29f/0x464 [ 54.761406] kfree+0xbd/0x220 [ 54.761409] rfcomm_dlc_free+0x20/0x30 [ 54.761411] rfcomm_dev_ioctl+0x181f/0x1b60 [ 54.761413] rfcomm_sock_ioctl+0x90/0xb0 [ 54.761416] sock_do_ioctl+0xd8/0x2f0 [ 54.761418] sock_ioctl+0x325/0x610 [ 54.761420] do_vfs_ioctl+0xd5f/0x1380 [ 54.761422] ksys_ioctl+0xab/0xd0 [ 54.761424] __x64_sys_ioctl+0x73/0xb0 [ 54.761427] do_syscall_64+0xfd/0x620 [ 54.761429] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.761431] [ 54.761433] other info that might help us debug this: [ 54.761434] [ 54.761436] Chain exists of: [ 54.761437] (console_sem).lock --> &rq->lock --> &obj_hash[i].lock [ 54.761448] [ 54.761450] Possible unsafe locking scenario: [ 54.761451] [ 54.761454] CPU0 CPU1 [ 54.761456] ---- ---- [ 54.761457] lock(&obj_hash[i].lock); [ 54.761463] lock(&rq->lock); [ 54.761468] lock(&obj_hash[i].lock); [ 54.761473] lock((console_sem).lock); [ 54.761478] [ 54.761479] *** DEADLOCK *** [ 54.761481] [ 54.761483] 3 locks held by syz-executor566/7567: [ 54.761484] #0: 000000000e6b464f (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}, at: rfcomm_sock_ioctl+0x82/0xb0 [ 54.761495] #1: 0000000038e5d520 (rfcomm_ioctl_mutex){+.+.}, at: rfcomm_dev_ioctl+0x4f0/0x1b60 [ 54.761505] #2: 000000001931ee06 (&obj_hash[i].lock){-.-.}, at: debug_check_no_obj_freed+0xbe/0x464 [ 54.761515] [ 54.761517] stack backtrace: [ 54.761520] CPU: 0 PID: 7567 Comm: syz-executor566 Not tainted 4.19.71 #0 [ 54.761524] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.761526] Call Trace: [ 54.761528] dump_stack+0x172/0x1f0 [ 54.761531] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 54.761533] __lock_acquire+0x2e19/0x49c0 [ 54.761536] ? mark_held_locks+0x100/0x100 [ 54.761538] ? kvm_clock_read+0x18/0x30 [ 54.761540] ? kvm_sched_clock_read+0x9/0x20 [ 54.761543] lock_acquire+0x16f/0x3f0 [ 54.761545] ? down_trylock+0x13/0x70 [ 54.761547] _raw_spin_lock_irqsave+0x95/0xcd [ 54.761549] ? down_trylock+0x13/0x70 [ 54.761552] ? vprintk_emit+0x21d/0x690 [ 54.761554] down_trylock+0x13/0x70 [ 54.761556] ? vprintk_emit+0x21d/0x690 [ 54.761559] __down_trylock_console_sem+0xa8/0x210 [ 54.761561] console_trylock+0x15/0xa0 [ 54.761563] vprintk_emit+0x21d/0x690 [ 54.761566] ? __internal_add_timer+0x1f0/0x1f0 [ 54.761568] vprintk_default+0x28/0x30 [ 54.761570] vprintk_func+0x7e/0x189 [ 54.761572] printk+0xba/0xed [ 54.761574] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 54.761577] ? __warn_printk+0x8f/0xf3 [ 54.761579] ? rfcomm_session_add+0x300/0x300 [ 54.761581] __warn_printk+0x9b/0xf3 [ 54.761583] ? add_taint.cold+0x16/0x16 [ 54.761586] ? skb_dequeue+0x12e/0x180 [ 54.761588] ? rfcomm_session_add+0x300/0x300 [ 54.761591] debug_print_object+0x168/0x250 [ 54.761593] debug_check_no_obj_freed+0x29f/0x464 [ 54.761595] kfree+0xbd/0x220 [ 54.761597] rfcomm_dlc_free+0x20/0x30 [ 54.761600] rfcomm_dev_ioctl+0x181f/0x1b60 [ 54.761602] ? __local_bh_enable_ip+0x15a/0x270 [ 54.761604] ? lock_sock_nested+0xe2/0x120 [ 54.761607] ? __local_bh_enable_ip+0x15a/0x270 [ 54.761610] ? rfcomm_dev_state_change+0x150/0x150 [ 54.761612] ? __local_bh_enable_ip+0x15a/0x270 [ 54.761614] rfcomm_sock_ioctl+0x90/0xb0 [ 54.761617] sock_do_ioctl+0xd8/0x2f0 [ 54.761619] ? compat_ifr_data_ioctl+0x160/0x160 [ 54.761621] ? kasan_check_read+0x11/0x20 [ 54.761624] ? do_raw_spin_unlock+0x57/0x270 [ 54.761626] ? do_wp_page+0x585/0x10b0 [ 54.761629] ? finish_mkwrite_fault+0x4f0/0x4f0 [ 54.761631] sock_ioctl+0x325/0x610 [ 54.761633] ? dlci_ioctl_set+0x40/0x40 [ 54.761635] ? __handle_mm_fault+0x7d1/0x3f80 [ 54.761638] ? __might_sleep+0x95/0x190 [ 54.761640] ? dlci_ioctl_set+0x40/0x40 [ 54.761642] do_vfs_ioctl+0xd5f/0x1380 [ 54.761645] ? selinux_file_ioctl+0x46f/0x5e0 [ 54.761647] ? selinux_file_ioctl+0x125/0x5e0 [ 54.761649] ? ioctl_preallocate+0x210/0x210 [ 54.761652] ? selinux_file_mprotect+0x620/0x620 [ 54.761655] ? migration_entry_to_page+0x1d8/0x320 [ 54.761657] ? write_comp_data+0x2b/0x70 [ 54.761659] ? up_read+0x1a/0x110 [ 54.761662] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.761665] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.761667] ? security_file_ioctl+0x8d/0xc0 [ 54.761669] ksys_ioctl+0xab/0xd0 [ 54.761671] __x64_sys_ioctl+0x73/0xb0 [ 54.761673] do_syscall_64+0xfd/0x620 [ 54.761676] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.761678] RIP: 0033:0x441229 [ 54.761686] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 54.761689] RSP: 002b:00007ffedc810a28 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 54.761694] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441229 [ 54.761698] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000003 [ 54.761702] RBP: 000000000000d40e R08: 00000000004002c8 R09: 00000000004002c8 [ 54.761705] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402050 [ 54.761708] R13: 00000000004020e0 R14: 0000000000000000 R15: 0000000000000000 [ 54.762921] Kernel Offset: disabled [ 55.585595] Rebooting in 86400 seconds..