[....] Starting enhanced syslogd: rsyslogd[ 15.799598] audit: type=1400 audit(1519117964.455:5): avc: denied { syslog } for pid=3998 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.350993] audit: type=1400 audit(1519117967.006:6): avc: denied { map } for pid=4137 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.19' (ECDSA) to the list of known hosts. [ 36.958766] audit: type=1400 audit(1519117985.614:7): avc: denied { map } for pid=4155 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16479 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2018/02/20 09:13:05 parsed 1 programs 2018/02/20 09:13:05 executed programs: 0 [ 37.205685] audit: type=1400 audit(1519117985.857:8): avc: denied { map } for pid=4155 comm="syz-execprog" path="/root/syzkaller-shm065966666" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 37.239814] IPVS: ftp: loaded support on port[0] = 21 [ 37.248236] audit: type=1400 audit(1519117985.889:9): avc: denied { sys_admin } for pid=4160 comm="syz-executor4" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 37.272664] IPVS: ftp: loaded support on port[0] = 21 [ 37.280400] audit: type=1400 audit(1519117985.936:10): avc: denied { sys_chroot } for pid=4164 comm="syz-executor4" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 37.302997] IPVS: ftp: loaded support on port[0] = 21 [ 37.304835] audit: type=1400 audit(1519117985.936:11): avc: denied { net_admin } for pid=4164 comm="syz-executor4" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 37.331531] IPVS: ftp: loaded support on port[0] = 21 [ 37.341753] audit: type=1400 audit(1519117985.997:12): avc: denied { net_raw } for pid=4178 comm="syz-executor4" capability=13 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 37.364325] IPVS: ftp: loaded support on port[0] = 21 [ 37.442373] IPVS: ftp: loaded support on port[0] = 21 [ 37.478426] IPVS: ftp: loaded support on port[0] = 21 [ 37.580338] IPVS: ftp: loaded support on port[0] = 21 [ 41.787179] ------------[ cut here ]------------ [ 41.793062] ODEBUG: free active (active state 0) object type: work_struct hint: htable_gc+0x0/0xc0 [ 41.802191] WARNING: CPU: 1 PID: 4165 at lib/debugobjects.c:291 debug_print_object+0x166/0x220 [ 41.810908] Kernel panic - not syncing: panic_on_warn set ... [ 41.810908] [ 41.818238] CPU: 1 PID: 4165 Comm: syz-executor3 Not tainted 4.16.0-rc2+ #320 [ 41.825476] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.834799] Call Trace: [ 41.837361] dump_stack+0x194/0x257 [ 41.840960] ? arch_local_irq_restore+0x53/0x53 [ 41.845598] ? vsnprintf+0x1ed/0x1900 [ 41.849371] panic+0x1e4/0x41c [ 41.852530] ? refcount_error_report+0x214/0x214 [ 41.857253] ? show_regs_print_info+0x18/0x18 [ 41.861720] ? __warn+0x1c1/0x200 [ 41.865142] ? debug_print_object+0x166/0x220 [ 41.869607] __warn+0x1dc/0x200 [ 41.872853] ? debug_print_object+0x166/0x220 [ 41.877316] report_bug+0x211/0x2d0 [ 41.880913] fixup_bug.part.11+0x37/0x80 [ 41.884952] do_error_trap+0x2d7/0x3e0 [ 41.888810] ? vprintk_default+0x28/0x30 [ 41.892842] ? math_error+0x400/0x400 [ 41.896608] ? printk+0xaa/0xca [ 41.899855] ? show_regs_print_info+0x18/0x18 [ 41.904321] ? __usermodehelper_disable+0x2f0/0x2f0 [ 41.909307] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 41.914205] do_invalid_op+0x1b/0x20 [ 41.917888] invalid_op+0x58/0x80 [ 41.921310] RIP: 0010:debug_print_object+0x166/0x220 [ 41.926380] RSP: 0018:ffff8801b3d8f790 EFLAGS: 00010082 [ 41.931713] RAX: dffffc0000000008 RBX: 0000000000000003 RCX: ffffffff815abdbe [ 41.938952] RDX: 0000000000000000 RSI: 1ffff100367b1ea2 RDI: 1ffff100367b1e77 [ 41.946190] RBP: ffff8801b3d8f7d0 R08: 0000000000000000 R09: 1ffff100367b1e49 [ 41.953427] R10: ffffed00367b1f21 R11: ffffffff86b394b8 R12: 0000000000000001 [ 41.960667] R13: ffffffff86b14d80 R14: ffffffff86007de0 R15: ffffffff8147ac00 [ 41.967907] ? __usermodehelper_disable+0x2f0/0x2f0 [ 41.972892] ? vprintk_func+0x5e/0xc0 [ 41.976664] debug_check_no_obj_freed+0x662/0xf1f [ 41.981475] ? print_irqtrace_events+0x270/0x270 [ 41.986204] ? free_obj_work+0x690/0x690 [ 41.990232] ? do_raw_spin_trylock+0x190/0x190 [ 41.994796] ? mark_held_locks+0xaf/0x100 [ 41.998912] ? __vunmap+0xb6/0x380 [ 42.002425] __vunmap+0x112/0x380 [ 42.005848] vfree+0x50/0xe0 [ 42.008837] do_arpt_get_ctl+0x7c4/0xa00 [ 42.012868] ? get_info+0x690/0x690 [ 42.016460] ? ip_getsockopt+0x143/0x220 [ 42.020495] ? mark_held_locks+0xaf/0x100 [ 42.024613] ? mutex_unlock+0xd/0x10 [ 42.028295] ? nf_sockopt_find.constprop.0+0x1a7/0x220 [ 42.033541] nf_getsockopt+0x6a/0xc0 [ 42.037224] ip_getsockopt+0x15c/0x220 [ 42.041081] ? do_ip_getsockopt+0x2170/0x2170 [ 42.045548] tcp_getsockopt+0x82/0xd0 [ 42.049318] sock_common_getsockopt+0x95/0xd0 [ 42.053786] SyS_getsockopt+0x178/0x340 [ 42.057730] ? SyS_setsockopt+0x360/0x360 [ 42.061852] ? move_addr_to_kernel+0x60/0x60 [ 42.066231] ? do_syscall_64+0xb6/0x940 [ 42.070184] ? SyS_setsockopt+0x360/0x360 [ 42.074297] do_syscall_64+0x280/0x940 [ 42.078152] ? __do_page_fault+0xc90/0xc90 [ 42.082357] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 42.087863] ? syscall_return_slowpath+0x550/0x550 [ 42.092762] ? syscall_return_slowpath+0x2ac/0x550 [ 42.097663] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 42.102998] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 42.107811] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.112968] RIP: 0033:0x45687a [ 42.116126] RSP: 002b:0000000000a3eb48 EFLAGS: 00000212 ORIG_RAX: 0000000000000037 [ 42.123802] RAX: ffffffffffffffda RBX: 0000000000000027 RCX: 000000000045687a [ 42.131042] RDX: 0000000000000061 RSI: 0000000000000000 RDI: 0000000000000000 [ 42.138280] RBP: 0000000000a3f200 R08: 0000000000a3eb7c R09: 0000000000000001 [ 42.145519] R10: 0000000000a3f200 R11: 0000000000000212 R12: 0000000000a3eb80 [ 42.152761] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000001380 [ 42.160013] [ 42.160015] ====================================================== [ 42.160016] WARNING: possible circular locking dependency detected [ 42.160017] 4.16.0-rc2+ #320 Not tainted [ 42.160019] ------------------------------------------------------ [ 42.160020] syz-executor3/4165 is trying to acquire lock: [ 42.160021] ((console_sem).lock){..-.}, at: [<00000000d9ab369e>] down_trylock+0x13/0x70 [ 42.160025] [ 42.160027] but task is already holding lock: [ 42.160027] (&obj_hash[i].lock){-.-.}, at: [<00000000ab7f4c5c>] debug_check_no_obj_freed+0x1e9/0xf1f [ 42.160031] [ 42.160033] which lock already depends on the new lock. [ 42.160033] [ 42.160034] [ 42.160035] the existing dependency chain (in reverse order) is: [ 42.160036] [ 42.160037] -> #3 (&obj_hash[i].lock){-.-.}: [ 42.160041] _raw_spin_lock_irqsave+0x96/0xc0 [ 42.160042] __debug_object_init+0x109/0x1040 [ 42.160043] debug_object_init+0x17/0x20 [ 42.160045] hrtimer_init+0x8c/0x410 [ 42.160046] init_dl_task_timer+0x1b/0x50 [ 42.160047] __sched_fork+0x2bb/0xb60 [ 42.160048] init_idle+0x75/0x820 [ 42.160049] sched_init+0xb19/0xc43 [ 42.160050] start_kernel+0x452/0x819 [ 42.160052] x86_64_start_reservations+0x2a/0x2c [ 42.160053] x86_64_start_kernel+0x77/0x7a [ 42.160054] secondary_startup_64+0xa5/0xb0 [ 42.160055] [ 42.160055] -> #2 (&rq->lock){-.-.}: [ 42.160059] _raw_spin_lock+0x2a/0x40 [ 42.160061] task_fork_fair+0x7a/0x690 [ 42.160062] sched_fork+0x450/0xc10 [ 42.160063] copy_process.part.37+0x1758/0x4b60 [ 42.160064] _do_fork+0x1f7/0xf70 [ 42.160065] kernel_thread+0x34/0x40 [ 42.160066] rest_init+0x22/0xf0 [ 42.160067] start_kernel+0x7f1/0x819 [ 42.160069] x86_64_start_reservations+0x2a/0x2c [ 42.160070] x86_64_start_kernel+0x77/0x7a [ 42.160071] secondary_startup_64+0xa5/0xb0 [ 42.160072] [ 42.160072] -> #1 (&p->pi_lock){-.-.}: [ 42.160076] _raw_spin_lock_irqsave+0x96/0xc0 [ 42.160078] try_to_wake_up+0xbc/0x15f0 [ 42.160079] wake_up_process+0x10/0x20 [ 42.160080] __up.isra.0+0x1cc/0x2c0 [ 42.160081] up+0x13b/0x1d0 [ 42.160082] __up_console_sem+0xb2/0x1a0 [ 42.160083] console_unlock+0x5af/0xfb0 [ 42.160084] vprintk_emit+0x5c3/0xb90 [ 42.160086] vprintk_default+0x28/0x30 [ 42.160087] vprintk_func+0x57/0xc0 [ 42.160088] printk+0xaa/0xca [ 42.160089] kauditd_hold_skb+0x163/0x180 [ 42.160090] kauditd_send_queue+0xfa/0x140 [ 42.160091] kauditd_thread+0x660/0x940 [ 42.160092] kthread+0x33c/0x400 [ 42.160093] ret_from_fork+0x3a/0x50 [ 42.160094] [ 42.160095] -> #0 ((console_sem).lock){..-.}: [ 42.160099] lock_acquire+0x1d5/0x580 [ 42.160100] _raw_spin_lock_irqsave+0x96/0xc0 [ 42.160101] down_trylock+0x13/0x70 [ 42.160102] __down_trylock_console_sem+0xa2/0x1e0 [ 42.160104] console_trylock+0x15/0x70 [ 42.160105] vprintk_emit+0x5b5/0xb90 [ 42.160106] vprintk_default+0x28/0x30 [ 42.160107] vprintk_func+0x57/0xc0 [ 42.160108] printk+0xaa/0xca [ 42.160109] __warn_printk+0x90/0xf0 [ 42.160110] debug_print_object+0x166/0x220 [ 42.160112] debug_check_no_obj_freed+0x662/0xf1f [ 42.160113] __vunmap+0x112/0x380 [ 42.160114] vfree+0x50/0xe0 [ 42.160115] do_arpt_get_ctl+0x7c4/0xa00 [ 42.160116] nf_getsockopt+0x6a/0xc0 [ 42.160117] ip_getsockopt+0x15c/0x220 [ 42.160119] tcp_getsockopt+0x82/0xd0 [ 42.160120] sock_common_getsockopt+0x95/0xd0 [ 42.160121] SyS_getsockopt+0x178/0x340 [ 42.160122] do_syscall_64+0x280/0x940 [ 42.160124] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.160124] [ 42.160126] other info that might help us debug this: [ 42.160126] [ 42.160127] Chain exists of: [ 42.160128] (console_sem).lock --> &rq->lock --> &obj_hash[i].lock [ 42.160133] [ 42.160134] Possible unsafe locking scenario: [ 42.160135] [ 42.160136] CPU0 CPU1 [ 42.160137] ---- ---- [ 42.160138] lock(&obj_hash[i].lock); [ 42.160140] lock(&rq->lock); [ 42.160143] lock(&obj_hash[i].lock); [ 42.160145] lock((console_sem).lock); [ 42.160148] [ 42.160149] *** DEADLOCK *** [ 42.160149] [ 42.160150] 3 locks held by syz-executor3/4165: [ 42.160151] #0: (sk_lock-AF_INET){+.+.}, at: [<000000005eb92c50>] ip_getsockopt+0x143/0x220 [ 42.160155] #1: (&xt[i].mutex){+.+.}, at: [<00000000c1964dfe>] xt_find_table_lock+0x3e/0x3e0 [ 42.160160] #2: (&obj_hash[i].lock){-.-.}, at: [<00000000ab7f4c5c>] debug_check_no_obj_freed+0x1e9/0xf1f [ 42.160164] [ 42.160165] stack backtrace: [ 42.160167] CPU: 1 PID: 4165 Comm: syz-executor3 Not tainted 4.16.0-rc2+ #320 [ 42.160169] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.160170] Call Trace: [ 42.160171] dump_stack+0x194/0x257 [ 42.160172] ? arch_local_irq_restore+0x53/0x53 [ 42.160174] print_circular_bug.isra.38+0x2cd/0x2dc [ 42.160175] ? save_trace+0xe0/0x2b0 [ 42.160176] __lock_acquire+0x30a8/0x3e00 [ 42.160177] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 42.160179] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 42.160180] ? save_stack+0x43/0xd0 [ 42.160181] ? kasan_kmalloc+0xad/0xe0 [ 42.160182] ? vfree+0x50/0xe0 [ 42.160183] ? check_noncircular+0x20/0x20 [ 42.160184] ? check_noncircular+0x20/0x20 [ 42.160185] ? sock_common_getsockopt+0x95/0xd0 [ 42.160186] ? SyS_getsockopt+0x178/0x340 [ 42.160188] ? do_syscall_64+0x280/0x940 [ 42.160189] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.160190] ? print_irqtrace_events+0x270/0x270 [ 42.160191] ? check_noncircular+0x20/0x20 [ 42.160193] ? print_irqtrace_events+0x270/0x270 [ 42.160194] ? check_noncircular+0x20/0x20 [ 42.160195] ? check_noncircular+0x20/0x20 [ 42.160196] ? print_irqtrace_events+0x270/0x270 [ 42.160198] lock_acquire+0x1d5/0x580 [ 42.160199] ? lock_acquire+0x1d5/0x580 [ 42.160200] ? down_trylock+0x13/0x70 [ 42.160201] ? lock_release+0xa40/0xa40 [ 42.160202] ? vprintk_emit+0x43b/0xb90 [ 42.160203] ? lock_downgrade+0x980/0x980 [ 42.160204] ? kvm_sched_clock_read+0x25/0x40 [ 42.160205] ? sched_clock+0x31/0x40 [ 42.160207] ? sched_clock_cpu+0x1b/0x180 [ 42.160208] ? vprintk_emit+0x5b5/0xb90 [ 42.160209] _raw_spin_lock_irqsave+0x96/0xc0 [ 42.160210] ? down_trylock+0x13/0x70 [ 42.160211] down_trylock+0x13/0x70 [ 42.160212] ? vprintk_emit+0x5b5/0xb90 [ 42.160213] __down_trylock_console_sem+0xa2/0x1e0 [ 42.160215] console_trylock+0x15/0x70 [ 42.160216] vprintk_emit+0x5b5/0xb90 [ 42.160217] ? console_unlock+0xfb0/0xfb0 [ 42.160218] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 42.160219] ? trace_hardirqs_on+0xd/0x10 [ 42.160221] ? debug_object_active_state+0x3a5/0x580 [ 42.160222] ? debug_object_activate+0x404/0x730 [ 42.160223] ? debug_object_deactivate+0x560/0x560 [ 42.160224] ? mark_held_locks+0xaf/0x100 [ 42.160226] ? __usermodehelper_disable+0x2f0/0x2f0 [ 42.160227] vprintk_default+0x28/0x30 [ 42.160228] vprintk_func+0x57/0xc0 [ 42.160229] printk+0xaa/0xca [ 42.160230] ? show_regs_print_info+0x18/0x18 [ 42.160231] ? __warn_printk+0x84/0xf0 [ 42.160233] ? htable_selective_cleanup+0x3d0/0x3d0 [ 42.160234] __warn_printk+0x90/0xf0 [ 42.160235] ? test_taint+0x20/0x20 [ 42.160236] ? lock_release+0xa40/0xa40 [ 42.160237] ? __schedule+0x90d/0x2070 [ 42.160238] ? htable_selective_cleanup+0x3d0/0x3d0 [ 42.160240] debug_print_object+0x166/0x220 [ 42.160241] debug_check_no_obj_freed+0x662/0xf1f [ 42.160242] ? print_irqtrace_events+0x270/0x270 [ 42.160243] ? free_obj_work+0x690/0x690 [ 42.160245] ? do_raw_spin_trylock+0x190/0x190 [ 42.160246] ? mark_held_locks+0xaf/0x100 [ 42.160247] ? __vunmap+0xb6/0x380 [ 42.160248] __vunmap+0x112/0x380 [ 42.160249] vfree+0x50/0xe0 [ 42.160250] do_arpt_get_ctl+0x7c4/0xa00 [ 42.160251] ? get_info+0x690/0x690 [ 42.160252] ? ip_getsockopt+0x143/0x220 [ 42.160253] ? mark_held_locks+0xaf/0x100 [ 42.160254] ? mutex_unlock+0xd/0x10 [ 42.160256] ? nf_sockopt_find.constprop.0+0x1a7/0x220 [ 42.160257] nf_getsockopt+0x6a/0xc0 [ 42.160258] ip_getsockopt+0x15c/0x220 [ 42.160259] ? do_ip_getsockopt+0x2170/0x2170 [ 42.160260] tcp_getsockopt+0x82/0xd0 [ 42.160262] sock_common_getsockopt+0x95/0xd0 [ 42.160263] SyS_getsockopt+0x178/0x340 [ 42.160264] ? SyS_setsockopt+0x360/0x360 [ 42.160265] ? move_addr_to_kernel+0x60/0x60 [ 42.160266] ? do_syscall_64+0xb6/0x940 [ 42.160267] ? SyS_setsockopt+0x360/0x360 [ 42.160268] do_syscall_64+0x280/0x940 [ 42.160270] ? __do_page_fault+0xc90/0xc90 [ 42.160271] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 42.160272] ? syscall_return_slowpath+0x550/0x550 [ 42.160274] ? syscall_return_slowpath+0x2ac/0x550 [ 42.160275] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 42.160276] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 42.160278] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.160279] RIP: 0033:0x45687a [ 42.160280] RSP: 002b:0000000000a3eb48 EFLAGS: 00000212 ORIG_RAX: 0000000000000037 [ 42.160283] RAX: ffffffffffffffda RBX: 0000000000000027 RCX: 000000000045687a [ 42.160285] RDX: 0000000000000061 RSI: 0000000000000000 RDI: 0000000000000000 [ 42.160286] RBP: 0000000000a3f200 R08: 0000000000a3eb7c R09: 0000000000000001 [ 42.160288] R10: 0000000000a3f200 R11: 0000000000000212 R12: 0000000000a3eb80 [ 42.160290] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000001380 [ 42.160757] Dumping ftrace buffer: [ 43.075976] (ftrace buffer empty) [ 43.079660] Kernel Offset: disabled [ 43.083256] Rebooting in 86400 seconds..