[....] Starting enhanced syslogd: rsyslogd[ 16.095724] audit: type=1400 audit(1519105616.982:5): avc: denied { syslog } for pid=3984 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.709966] audit: type=1400 audit(1519105619.596:6): avc: denied { map } for pid=4123 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.15.225' (ECDSA) to the list of known hosts. [ 24.969543] audit: type=1400 audit(1519105625.856:7): avc: denied { map } for pid=4137 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16479 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2018/02/20 05:47:06 parsed 1 programs 2018/02/20 05:47:06 executed programs: 0 [ 25.236882] audit: type=1400 audit(1519105626.123:8): avc: denied { map } for pid=4137 comm="syz-execprog" path="/root/syzkaller-shm095884310" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 25.267331] audit: type=1400 audit(1519105626.154:9): avc: denied { sys_admin } for pid=4143 comm="syz-executor0" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 25.281654] IPVS: ftp: loaded support on port[0] = 21 [ 25.335388] IPVS: ftp: loaded support on port[0] = 21 [ 25.360650] IPVS: ftp: loaded support on port[0] = 21 [ 25.366646] audit: type=1400 audit(1519105626.253:10): avc: denied { sys_chroot } for pid=4146 comm="syz-executor0" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 25.398504] IPVS: ftp: loaded support on port[0] = 21 [ 25.407340] audit: type=1400 audit(1519105626.279:11): avc: denied { net_admin } for pid=4148 comm="syz-executor6" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 25.431824] audit: type=1400 audit(1519105626.305:12): avc: denied { net_raw } for pid=4162 comm="syz-executor0" capability=13 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 25.440320] IPVS: ftp: loaded support on port[0] = 21 [ 25.552012] IPVS: ftp: loaded support on port[0] = 21 [ 25.612354] IPVS: ftp: loaded support on port[0] = 21 [ 25.710989] IPVS: ftp: loaded support on port[0] = 21 2018/02/20 05:47:11 executed programs: 257 [ 30.991865] ------------[ cut here ]------------ [ 30.997773] ODEBUG: free active (active state 0) object type: work_struct hint: htable_gc+0x0/0xc0 [ 31.006917] WARNING: CPU: 1 PID: 4157 at lib/debugobjects.c:291 debug_print_object+0x166/0x220 [ 31.015633] Kernel panic - not syncing: panic_on_warn set ... [ 31.015633] [ 31.022965] CPU: 1 PID: 4157 Comm: syz-executor3 Not tainted 4.16.0-rc2+ #320 [ 31.030203] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.039527] Call Trace: [ 31.042086] dump_stack+0x194/0x257 [ 31.045682] ? arch_local_irq_restore+0x53/0x53 [ 31.050322] ? vsnprintf+0x1ed/0x1900 [ 31.054095] panic+0x1e4/0x41c [ 31.057257] ? refcount_error_report+0x214/0x214 [ 31.061981] ? show_regs_print_info+0x18/0x18 [ 31.066449] ? __warn+0x1c1/0x200 [ 31.069873] ? debug_print_object+0x166/0x220 [ 31.074339] __warn+0x1dc/0x200 [ 31.077586] ? debug_print_object+0x166/0x220 [ 31.082051] report_bug+0x211/0x2d0 [ 31.085650] fixup_bug.part.11+0x37/0x80 [ 31.089680] do_error_trap+0x2d7/0x3e0 [ 31.093540] ? __usermodehelper_disable+0x2f0/0x2f0 [ 31.098529] ? vprintk_default+0x28/0x30 [ 31.102560] ? math_error+0x400/0x400 [ 31.106330] ? printk+0xaa/0xca [ 31.109580] ? show_regs_print_info+0x18/0x18 [ 31.114046] ? __usermodehelper_disable+0x2f0/0x2f0 [ 31.119034] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.123847] do_invalid_op+0x1b/0x20 [ 31.127533] invalid_op+0x58/0x80 [ 31.130964] RIP: 0010:debug_print_object+0x166/0x220 [ 31.136036] RSP: 0018:ffff8801b7db7778 EFLAGS: 00010082 [ 31.141370] RAX: dffffc0000000008 RBX: 0000000000000003 RCX: ffffffff815abdbe [ 31.148608] RDX: 0000000000000000 RSI: 1ffff10036fb6e9f RDI: 1ffff10036fb6e74 [ 31.155857] RBP: ffff8801b7db77b8 R08: 0000000000000000 R09: 1ffff10036fb6e46 [ 31.163111] R10: ffffed0036fb6f1e R11: ffffffff86b394b8 R12: 0000000000000001 [ 31.170355] R13: ffffffff86b14d80 R14: ffffffff86007de0 R15: ffffffff8147ac00 [ 31.177603] ? __usermodehelper_disable+0x2f0/0x2f0 [ 31.182595] ? vprintk_func+0x5e/0xc0 [ 31.186371] ? debug_print_object+0x166/0x220 [ 31.190839] debug_check_no_obj_freed+0x662/0xf1f [ 31.195653] ? print_irqtrace_events+0x270/0x270 [ 31.200383] ? free_obj_work+0x690/0x690 [ 31.204414] ? do_raw_spin_trylock+0x190/0x190 [ 31.208970] ? mark_held_locks+0xaf/0x100 [ 31.213100] ? __vunmap+0xb6/0x380 [ 31.216617] __vunmap+0x112/0x380 [ 31.220061] vfree+0x50/0xe0 [ 31.223055] do_ipt_get_ctl+0x7f5/0xac0 [ 31.227003] ? get_info+0x690/0x690 [ 31.230614] ? ip_getsockopt+0x143/0x220 [ 31.234651] ? mark_held_locks+0xaf/0x100 [ 31.238772] ? mutex_unlock+0xd/0x10 [ 31.242459] ? nf_sockopt_find.constprop.0+0x1a7/0x220 [ 31.247708] nf_getsockopt+0x6a/0xc0 [ 31.251399] ip_getsockopt+0x15c/0x220 [ 31.255256] ? do_ip_getsockopt+0x2170/0x2170 [ 31.259731] tcp_getsockopt+0x82/0xd0 [ 31.263504] sock_common_getsockopt+0x95/0xd0 [ 31.267975] SyS_getsockopt+0x178/0x340 [ 31.271920] ? SyS_setsockopt+0x360/0x360 [ 31.276040] ? move_addr_to_kernel+0x60/0x60 [ 31.280421] ? do_syscall_64+0xb6/0x940 [ 31.284366] ? SyS_setsockopt+0x360/0x360 [ 31.288485] do_syscall_64+0x280/0x940 [ 31.292344] ? __do_page_fault+0xc90/0xc90 [ 31.296561] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 31.302077] ? syscall_return_slowpath+0x550/0x550 [ 31.306978] ? syscall_return_slowpath+0x2ac/0x550 [ 31.311880] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 31.317214] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.322031] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 31.327191] RIP: 0033:0x45687a [ 31.330351] RSP: 002b:0000000000a3e3b8 EFLAGS: 00000216 ORIG_RAX: 0000000000000037 [ 31.338030] RAX: ffffffffffffffda RBX: 0000000000a3e3e0 RCX: 000000000045687a [ 31.345269] RDX: 0000000000000041 RSI: 0000000000000000 RDI: 0000000000000000 [ 31.352507] RBP: 00000000006ff880 R08: 0000000000a3e3dc R09: 0000000000004000 [ 31.359745] R10: 0000000000a3e4e0 R11: 0000000000000216 R12: 0000000000000000 [ 31.366984] R13: 0000000000000000 R14: 0000000000000000 R15: 00000000006fd6c0 [ 31.374238] [ 31.374240] ====================================================== [ 31.374241] WARNING: possible circular locking dependency detected [ 31.374243] 4.16.0-rc2+ #320 Not tainted [ 31.374244] ------------------------------------------------------ [ 31.374246] syz-executor3/4157 is trying to acquire lock: [ 31.374247] ((console_sem).lock){..-.}, at: [<000000002930b44d>] down_trylock+0x13/0x70 [ 31.374251] [ 31.374252] but task is already holding lock: [ 31.374253] (&obj_hash[i].lock){-.-.}, at: [<000000001f892393>] debug_check_no_obj_freed+0x1e9/0xf1f [ 31.374257] [ 31.374259] which lock already depends on the new lock. [ 31.374259] [ 31.374260] [ 31.374262] the existing dependency chain (in reverse order) is: [ 31.374262] [ 31.374263] -> #3 (&obj_hash[i].lock){-.-.}: [ 31.374269] _raw_spin_lock_irqsave+0x96/0xc0 [ 31.374270] __debug_object_init+0x109/0x1040 [ 31.374271] debug_object_init+0x17/0x20 [ 31.374273] hrtimer_init+0x8c/0x410 [ 31.374274] init_dl_task_timer+0x1b/0x50 [ 31.374275] __sched_fork+0x2bb/0xb60 [ 31.374276] init_idle+0x75/0x820 [ 31.374277] sched_init+0xb19/0xc43 [ 31.374278] start_kernel+0x452/0x819 [ 31.374280] x86_64_start_reservations+0x2a/0x2c [ 31.374281] x86_64_start_kernel+0x77/0x7a [ 31.374282] secondary_startup_64+0xa5/0xb0 [ 31.374283] [ 31.374284] -> #2 (&rq->lock){-.-.}: [ 31.374288] _raw_spin_lock+0x2a/0x40 [ 31.374289] task_fork_fair+0x7a/0x690 [ 31.374290] sched_fork+0x450/0xc10 [ 31.374291] copy_process.part.37+0x1758/0x4b60 [ 31.374293] _do_fork+0x1f7/0xf70 [ 31.374294] kernel_thread+0x34/0x40 [ 31.374295] rest_init+0x22/0xf0 [ 31.374296] start_kernel+0x7f1/0x819 [ 31.374297] x86_64_start_reservations+0x2a/0x2c [ 31.374299] x86_64_start_kernel+0x77/0x7a [ 31.374300] secondary_startup_64+0xa5/0xb0 [ 31.374301] [ 31.374301] -> #1 (&p->pi_lock){-.-.}: [ 31.374305] _raw_spin_lock_irqsave+0x96/0xc0 [ 31.374306] try_to_wake_up+0xbc/0x15f0 [ 31.374308] wake_up_process+0x10/0x20 [ 31.374309] __up.isra.0+0x1cc/0x2c0 [ 31.374310] up+0x13b/0x1d0 [ 31.374311] __up_console_sem+0xb2/0x1a0 [ 31.374312] console_unlock+0x5af/0xfb0 [ 31.374313] do_con_write+0x106e/0x1f70 [ 31.374314] con_write+0x25/0xb0 [ 31.374316] n_tty_write+0x5ef/0xec0 [ 31.374317] tty_write+0x3fa/0x840 [ 31.374318] __vfs_write+0xef/0x970 [ 31.374319] vfs_write+0x189/0x510 [ 31.374320] SyS_write+0xef/0x220 [ 31.374321] do_syscall_64+0x280/0x940 [ 31.374323] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 31.374323] [ 31.374324] -> #0 ((console_sem).lock){..-.}: [ 31.374328] lock_acquire+0x1d5/0x580 [ 31.374329] _raw_spin_lock_irqsave+0x96/0xc0 [ 31.374330] down_trylock+0x13/0x70 [ 31.374332] __down_trylock_console_sem+0xa2/0x1e0 [ 31.374333] console_trylock+0x15/0x70 [ 31.374334] vprintk_emit+0x5b5/0xb90 [ 31.374335] vprintk_default+0x28/0x30 [ 31.374337] vprintk_func+0x57/0xc0 [ 31.374338] printk+0xaa/0xca [ 31.374339] __warn_printk+0x90/0xf0 [ 31.374340] debug_print_object+0x166/0x220 [ 31.374342] debug_check_no_obj_freed+0x662/0xf1f [ 31.374343] __vunmap+0x112/0x380 [ 31.374344] vfree+0x50/0xe0 [ 31.374345] do_ipt_get_ctl+0x7f5/0xac0 [ 31.374346] nf_getsockopt+0x6a/0xc0 [ 31.374347] ip_getsockopt+0x15c/0x220 [ 31.374348] tcp_getsockopt+0x82/0xd0 [ 31.374350] sock_common_getsockopt+0x95/0xd0 [ 31.374351] SyS_getsockopt+0x178/0x340 [ 31.374352] do_syscall_64+0x280/0x940 [ 31.374354] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 31.374354] [ 31.374357] other info that might help us debug this: [ 31.374358] [ 31.374359] Chain exists of: [ 31.374359] (console_sem).lock --> &rq->lock --> &obj_hash[i].lock [ 31.374364] [ 31.374365] Possible unsafe locking scenario: [ 31.374366] [ 31.374367] CPU0 CPU1 [ 31.374368] ---- ---- [ 31.374369] lock(&obj_hash[i].lock); [ 31.374372] lock(&rq->lock); [ 31.374374] lock(&obj_hash[i].lock); [ 31.374377] lock((console_sem).lock); [ 31.374379] [ 31.374380] *** DEADLOCK *** [ 31.374381] [ 31.374382] 3 locks held by syz-executor3/4157: [ 31.374382] #0: (sk_lock-AF_INET){+.+.}, at: [<000000003896cbdb>] ip_getsockopt+0x143/0x220 [ 31.374387] #1: (&xt[i].mutex){+.+.}, at: [<000000002c082b3e>] xt_find_table_lock+0x3e/0x3e0 [ 31.374391] #2: (&obj_hash[i].lock){-.-.}, at: [<000000001f892393>] debug_check_no_obj_freed+0x1e9/0xf1f [ 31.374396] [ 31.374397] stack backtrace: [ 31.374398] CPU: 1 PID: 4157 Comm: syz-executor3 Not tainted 4.16.0-rc2+ #320 [ 31.374400] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.374401] Call Trace: [ 31.374403] dump_stack+0x194/0x257 [ 31.374404] ? arch_local_irq_restore+0x53/0x53 [ 31.374405] print_circular_bug.isra.38+0x2cd/0x2dc [ 31.374406] ? save_trace+0xe0/0x2b0 [ 31.374407] __lock_acquire+0x30a8/0x3e00 [ 31.374409] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 31.374410] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 31.374411] ? save_stack+0x43/0xd0 [ 31.374412] ? kasan_kmalloc+0xad/0xe0 [ 31.374413] ? vfree+0x50/0xe0 [ 31.374415] ? check_noncircular+0x20/0x20 [ 31.374416] ? check_noncircular+0x20/0x20 [ 31.374417] ? sock_common_getsockopt+0x95/0xd0 [ 31.374418] ? SyS_getsockopt+0x178/0x340 [ 31.374420] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 31.374421] ? print_irqtrace_events+0x270/0x270 [ 31.374422] ? check_noncircular+0x20/0x20 [ 31.374424] ? print_irqtrace_events+0x270/0x270 [ 31.374425] ? check_noncircular+0x20/0x20 [ 31.374426] ? check_noncircular+0x20/0x20 [ 31.374427] lock_acquire+0x1d5/0x580 [ 31.374428] ? lock_acquire+0x1d5/0x580 [ 31.374429] ? down_trylock+0x13/0x70 [ 31.374430] ? lock_release+0xa40/0xa40 [ 31.374432] ? vprintk_emit+0x43b/0xb90 [ 31.374433] ? lock_downgrade+0x980/0x980 [ 31.374434] ? kvm_sched_clock_read+0x25/0x40 [ 31.374435] ? sched_clock+0x31/0x40 [ 31.374436] ? sched_clock_cpu+0x1b/0x180 [ 31.374437] ? vprintk_emit+0x5b5/0xb90 [ 31.374439] _raw_spin_lock_irqsave+0x96/0xc0 [ 31.374440] ? down_trylock+0x13/0x70 [ 31.374441] down_trylock+0x13/0x70 [ 31.374442] ? vprintk_emit+0x5b5/0xb90 [ 31.374443] __down_trylock_console_sem+0xa2/0x1e0 [ 31.374444] console_trylock+0x15/0x70 [ 31.374445] vprintk_emit+0x5b5/0xb90 [ 31.374446] ? console_unlock+0xfb0/0xfb0 [ 31.374448] ? trace_hardirqs_on+0xd/0x10 [ 31.374449] ? debug_object_active_state+0x3a5/0x580 [ 31.374450] ? debug_object_activate+0x404/0x730 [ 31.374452] ? debug_object_deactivate+0x560/0x560 [ 31.374453] ? mark_held_locks+0xaf/0x100 [ 31.374454] ? __usermodehelper_disable+0x2f0/0x2f0 [ 31.374455] vprintk_default+0x28/0x30 [ 31.374456] vprintk_func+0x57/0xc0 [ 31.374457] printk+0xaa/0xca [ 31.374459] ? show_regs_print_info+0x18/0x18 [ 31.374460] ? __warn_printk+0x84/0xf0 [ 31.374462] ? htable_selective_cleanup+0x3d0/0x3d0 [ 31.374464] __warn_printk+0x90/0xf0 [ 31.374465] ? test_taint+0x20/0x20 [ 31.374466] ? lock_release+0xa40/0xa40 [ 31.374467] ? __schedule+0x90d/0x2070 [ 31.374468] ? htable_selective_cleanup+0x3d0/0x3d0 [ 31.374469] debug_print_object+0x166/0x220 [ 31.374471] debug_check_no_obj_freed+0x662/0xf1f [ 31.374472] ? print_irqtrace_events+0x270/0x270 [ 31.374473] ? free_obj_work+0x690/0x690 [ 31.374474] ? do_raw_spin_trylock+0x190/0x190 [ 31.374475] ? mark_held_locks+0xaf/0x100 [ 31.374476] ? __vunmap+0xb6/0x380 [ 31.374477] __vunmap+0x112/0x380 [ 31.374478] vfree+0x50/0xe0 [ 31.374480] do_ipt_get_ctl+0x7f5/0xac0 [ 31.374481] ? get_info+0x690/0x690 [ 31.374482] ? ip_getsockopt+0x143/0x220 [ 31.374483] ? mark_held_locks+0xaf/0x100 [ 31.374484] ? mutex_unlock+0xd/0x10 [ 31.374485] ? nf_sockopt_find.constprop.0+0x1a7/0x220 [ 31.374487] nf_getsockopt+0x6a/0xc0 [ 31.374488] ip_getsockopt+0x15c/0x220 [ 31.374489] ? do_ip_getsockopt+0x2170/0x2170 [ 31.374490] tcp_getsockopt+0x82/0xd0 [ 31.374491] sock_common_getsockopt+0x95/0xd0 [ 31.374492] SyS_getsockopt+0x178/0x340 [ 31.374494] ? SyS_setsockopt+0x360/0x360 [ 31.374495] ? move_addr_to_kernel+0x60/0x60 [ 31.374496] ? do_syscall_64+0xb6/0x940 [ 31.374497] ? SyS_setsockopt+0x360/0x360 [ 31.374498] do_syscall_64+0x280/0x940 [ 31.374499] ? __do_page_fault+0xc90/0xc90 [ 31.374501] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 31.374502] ? syscall_return_slowpath+0x550/0x550 [ 31.374504] ? syscall_return_slowpath+0x2ac/0x550 [ 31.374505] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 31.374506] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.374508] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 31.374509] RIP: 0033:0x45687a [ 31.374510] RSP: 002b:0000000000a3e3b8 EFLAGS: 00000216 ORIG_RAX: 0000000000000037 [ 31.374513] RAX: ffffffffffffffda RBX: 0000000000a3e3e0 RCX: 000000000045687a [ 31.374515] RDX: 0000000000000041 RSI: 0000000000000000 RDI: 0000000000000000 [ 31.374517] RBP: 00000000006ff880 R08: 0000000000a3e3dc R09: 0000000000004000 [ 31.374519] R10: 0000000000a3e4e0 R11: 0000000000000216 R12: 0000000000000000 [ 31.374521] R13: 0000000000000000 R14: 0000000000000000 R15: 00000000006fd6c0 [ 31.374995] Dumping ftrace buffer: [ 32.276092] (ftrace buffer empty) [ 32.279773] Kernel Offset: disabled [ 32.283375] Rebooting in 86400 seconds..