[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 56.137541][ T26] audit: type=1800 audit(1561836444.925:25): pid=8634 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 56.166443][ T26] audit: type=1800 audit(1561836444.925:26): pid=8634 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 56.215673][ T26] audit: type=1800 audit(1561836444.925:27): pid=8634 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.198' (ECDSA) to the list of known hosts. 2019/06/29 19:27:37 parsed 1 programs 2019/06/29 19:27:39 executed programs: 0 syzkaller login: [ 70.693089][ T8801] IPVS: ftp: loaded support on port[0] = 21 [ 70.767223][ T8801] chnl_net:caif_netlink_parms(): no params data found [ 70.794699][ T8801] bridge0: port 1(bridge_slave_0) entered blocking state [ 70.803158][ T8801] bridge0: port 1(bridge_slave_0) entered disabled state [ 70.811474][ T8801] device bridge_slave_0 entered promiscuous mode [ 70.820334][ T8801] bridge0: port 2(bridge_slave_1) entered blocking state [ 70.827925][ T8801] bridge0: port 2(bridge_slave_1) entered disabled state [ 70.835702][ T8801] device bridge_slave_1 entered promiscuous mode [ 70.852710][ T8801] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 70.863880][ T8801] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 70.883733][ T8801] team0: Port device team_slave_0 added [ 70.891740][ T8801] team0: Port device team_slave_1 added [ 70.958349][ T8801] device hsr_slave_0 entered promiscuous mode [ 71.026987][ T8801] device hsr_slave_1 entered promiscuous mode [ 71.094372][ T8801] bridge0: port 2(bridge_slave_1) entered blocking state [ 71.101754][ T8801] bridge0: port 2(bridge_slave_1) entered forwarding state [ 71.109586][ T8801] bridge0: port 1(bridge_slave_0) entered blocking state [ 71.116769][ T8801] bridge0: port 1(bridge_slave_0) entered forwarding state [ 71.150286][ T8801] 8021q: adding VLAN 0 to HW filter on device bond0 [ 71.163603][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 71.184293][ T12] bridge0: port 1(bridge_slave_0) entered disabled state [ 71.193293][ T12] bridge0: port 2(bridge_slave_1) entered disabled state [ 71.202478][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 71.216063][ T8801] 8021q: adding VLAN 0 to HW filter on device team0 [ 71.227043][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 71.235694][ T23] bridge0: port 1(bridge_slave_0) entered blocking state [ 71.242942][ T23] bridge0: port 1(bridge_slave_0) entered forwarding state [ 71.254221][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 71.263571][ T12] bridge0: port 2(bridge_slave_1) entered blocking state [ 71.271000][ T12] bridge0: port 2(bridge_slave_1) entered forwarding state [ 71.288449][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 71.298209][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 71.317920][ T8801] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 71.336383][ T8801] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 71.348927][ T8804] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 71.357775][ T8804] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 71.366991][ T8804] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 71.375811][ T8804] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 71.393231][ T8801] 8021q: adding VLAN 0 to HW filter on device batadv0 2019/06/29 19:27:44 executed programs: 5 [ 76.864355][ T8839] [ 76.866970][ T8839] ===================================================== [ 76.874744][ T8839] WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected [ 76.882345][ T8839] 5.2.0-rc6-next-20190628 #25 Not tainted [ 76.889365][ T8839] ----------------------------------------------------- [ 76.897157][ T8839] syz-executor.0/8839 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire: [ 76.905519][ T8839] 00000000975a66ed (&ctx->fd_wqh){....}, at: io_submit_one+0xefa/0x2ef0 [ 76.915336][ T8839] [ 76.915336][ T8839] and this task is already holding: [ 76.923041][ T8839] 000000006d4c1165 (&(&ctx->ctx_lock)->rlock){..-.}, at: io_submit_one+0xeb5/0x2ef0 [ 76.933411][ T8839] which would create a new lock dependency: [ 76.939622][ T8839] (&(&ctx->ctx_lock)->rlock){..-.} -> (&ctx->fd_wqh){....} [ 76.947368][ T8839] [ 76.947368][ T8839] but this new dependency connects a SOFTIRQ-irq-safe lock: [ 76.957108][ T8839] (&(&ctx->ctx_lock)->rlock){..-.} [ 76.957117][ T8839] [ 76.957117][ T8839] ... which became SOFTIRQ-irq-safe at: [ 76.970332][ T8839] lock_acquire+0x190/0x410 [ 76.975387][ T8839] _raw_spin_lock_irq+0x60/0x80 [ 76.980527][ T8839] free_ioctx_users+0x2d/0x490 [ 76.985819][ T8839] percpu_ref_switch_to_atomic_rcu+0x4c0/0x570 [ 76.992497][ T8839] rcu_core+0x67f/0x1580 [ 76.997120][ T8839] rcu_core_si+0x9/0x10 [ 77.001560][ T8839] __do_softirq+0x262/0x98c [ 77.006410][ T8839] run_ksoftirqd+0x8e/0x110 [ 77.011210][ T8839] smpboot_thread_fn+0x6a3/0xa40 [ 77.016686][ T8839] kthread+0x361/0x430 [ 77.020996][ T8839] ret_from_fork+0x24/0x30 [ 77.025486][ T8839] [ 77.025486][ T8839] to a SOFTIRQ-irq-unsafe lock: [ 77.032481][ T8839] (&ctx->fault_pending_wqh){+.+.} [ 77.032489][ T8839] [ 77.032489][ T8839] ... which became SOFTIRQ-irq-unsafe at: [ 77.045978][ T8839] ... [ 77.046001][ T8839] lock_acquire+0x190/0x410 [ 77.053457][ T8839] _raw_spin_lock+0x2f/0x40 [ 77.058155][ T8839] userfaultfd_release+0x4ca/0x710 [ 77.064050][ T8839] __fput+0x2ff/0x890 [ 77.068423][ T8839] ____fput+0x16/0x20 [ 77.072549][ T8839] task_work_run+0x145/0x1c0 [ 77.077236][ T8839] exit_to_usermode_loop+0x280/0x2d0 [ 77.082770][ T8839] do_syscall_64+0x5a9/0x6a0 [ 77.087576][ T8839] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 77.093632][ T8839] [ 77.093632][ T8839] other info that might help us debug this: [ 77.093632][ T8839] [ 77.104477][ T8839] Chain exists of: [ 77.104477][ T8839] &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh [ 77.104477][ T8839] [ 77.119388][ T8839] Possible interrupt unsafe locking scenario: [ 77.119388][ T8839] [ 77.128118][ T8839] CPU0 CPU1 [ 77.134425][ T8839] ---- ---- [ 77.151375][ T8839] lock(&ctx->fault_pending_wqh); [ 77.156685][ T8839] local_irq_disable(); [ 77.163594][ T8839] lock(&(&ctx->ctx_lock)->rlock); [ 77.171470][ T8839] lock(&ctx->fd_wqh); [ 77.178573][ T8839] [ 77.182431][ T8839] lock(&(&ctx->ctx_lock)->rlock); [ 77.187939][ T8839] [ 77.187939][ T8839] *** DEADLOCK *** [ 77.187939][ T8839] [ 77.196511][ T8839] 1 lock held by syz-executor.0/8839: [ 77.201882][ T8839] #0: 000000006d4c1165 (&(&ctx->ctx_lock)->rlock){..-.}, at: io_submit_one+0xeb5/0x2ef0 [ 77.212075][ T8839] [ 77.212075][ T8839] the dependencies between SOFTIRQ-irq-safe lock and the holding lock: [ 77.223291][ T8839] -> (&(&ctx->ctx_lock)->rlock){..-.} { [ 77.229243][ T8839] IN-SOFTIRQ-W at: [ 77.233371][ T8839] lock_acquire+0x190/0x410 [ 77.239532][ T8839] _raw_spin_lock_irq+0x60/0x80 [ 77.246482][ T8839] free_ioctx_users+0x2d/0x490 [ 77.252958][ T8839] percpu_ref_switch_to_atomic_rcu+0x4c0/0x570 [ 77.262974][ T8839] rcu_core+0x67f/0x1580 [ 77.268972][ T8839] rcu_core_si+0x9/0x10 [ 77.274909][ T8839] __do_softirq+0x262/0x98c [ 77.281345][ T8839] run_ksoftirqd+0x8e/0x110 [ 77.287754][ T8839] smpboot_thread_fn+0x6a3/0xa40 [ 77.294488][ T8839] kthread+0x361/0x430 [ 77.300780][ T8839] ret_from_fork+0x24/0x30 [ 77.307106][ T8839] INITIAL USE at: [ 77.311090][ T8839] lock_acquire+0x190/0x410 [ 77.317297][ T8839] _raw_spin_lock_irq+0x60/0x80 [ 77.323819][ T8839] free_ioctx_users+0x2d/0x490 [ 77.330299][ T8839] percpu_ref_switch_to_atomic_rcu+0x4c0/0x570 [ 77.338021][ T8839] rcu_core+0x67f/0x1580 [ 77.344100][ T8839] rcu_core_si+0x9/0x10 [ 77.350289][ T8839] __do_softirq+0x262/0x98c [ 77.356518][ T8839] run_ksoftirqd+0x8e/0x110 [ 77.362862][ T8839] smpboot_thread_fn+0x6a3/0xa40 [ 77.369920][ T8839] kthread+0x361/0x430 [ 77.375543][ T8839] ret_from_fork+0x24/0x30 [ 77.381502][ T8839] } [ 77.384247][ T8839] ... key at: [] __key.53845+0x0/0x40 [ 77.392897][ T8839] ... acquired at: [ 77.396838][ T8839] lock_acquire+0x190/0x410 [ 77.401611][ T8839] _raw_spin_lock+0x2f/0x40 [ 77.406784][ T8839] io_submit_one+0xefa/0x2ef0 [ 77.411885][ T8839] __x64_sys_io_submit+0x1bd/0x570 [ 77.417433][ T8839] do_syscall_64+0xfd/0x6a0 [ 77.422114][ T8839] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 77.428920][ T8839] [ 77.431232][ T8839] [ 77.431232][ T8839] the dependencies between the lock to be acquired [ 77.431235][ T8839] and SOFTIRQ-irq-unsafe lock: [ 77.444879][ T8839] -> (&ctx->fault_pending_wqh){+.+.} { [ 77.450871][ T8839] HARDIRQ-ON-W at: [ 77.455239][ T8839] lock_acquire+0x190/0x410 [ 77.462119][ T8839] _raw_spin_lock+0x2f/0x40 [ 77.469350][ T8839] userfaultfd_release+0x4ca/0x710 [ 77.476709][ T8839] __fput+0x2ff/0x890 [ 77.482710][ T8839] ____fput+0x16/0x20 [ 77.488622][ T8839] task_work_run+0x145/0x1c0 [ 77.495376][ T8839] exit_to_usermode_loop+0x280/0x2d0 [ 77.502480][ T8839] do_syscall_64+0x5a9/0x6a0 [ 77.509575][ T8839] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 77.517620][ T8839] SOFTIRQ-ON-W at: [ 77.522009][ T8839] lock_acquire+0x190/0x410 [ 77.528580][ T8839] _raw_spin_lock+0x2f/0x40 [ 77.535378][ T8839] userfaultfd_release+0x4ca/0x710 [ 77.543347][ T8839] __fput+0x2ff/0x890 [ 77.549308][ T8839] ____fput+0x16/0x20 [ 77.555402][ T8839] task_work_run+0x145/0x1c0 [ 77.562280][ T8839] exit_to_usermode_loop+0x280/0x2d0 [ 77.569860][ T8839] do_syscall_64+0x5a9/0x6a0 [ 77.576408][ T8839] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 77.584762][ T8839] INITIAL USE at: [ 77.588760][ T8839] lock_acquire+0x190/0x410 [ 77.595596][ T8839] _raw_spin_lock+0x2f/0x40 [ 77.602436][ T8839] userfaultfd_read+0x54d/0x1940 [ 77.609111][ T8839] __vfs_read+0x8a/0x110 [ 77.615184][ T8839] vfs_read+0x1f0/0x440 [ 77.621208][ T8839] ksys_read+0x14f/0x290 [ 77.627380][ T8839] __x64_sys_read+0x73/0xb0 [ 77.633777][ T8839] do_syscall_64+0xfd/0x6a0 [ 77.640442][ T8839] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 77.648505][ T8839] } [ 77.651262][ T8839] ... key at: [] __key.46557+0x0/0x40 [ 77.659077][ T8839] ... acquired at: [ 77.662983][ T8839] _raw_spin_lock+0x2f/0x40 [ 77.667664][ T8839] userfaultfd_read+0x54d/0x1940 [ 77.672979][ T8839] __vfs_read+0x8a/0x110 [ 77.677510][ T8839] vfs_read+0x1f0/0x440 [ 77.681892][ T8839] ksys_read+0x14f/0x290 [ 77.686433][ T8839] __x64_sys_read+0x73/0xb0 [ 77.691661][ T8839] do_syscall_64+0xfd/0x6a0 [ 77.696505][ T8839] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 77.702890][ T8839] [ 77.705201][ T8839] -> (&ctx->fd_wqh){....} { [ 77.709817][ T8839] INITIAL USE at: [ 77.714037][ T8839] lock_acquire+0x190/0x410 [ 77.721650][ T8839] _raw_spin_lock_irq+0x60/0x80 [ 77.728300][ T8839] userfaultfd_read+0x27a/0x1940 [ 77.734903][ T8839] __vfs_read+0x8a/0x110 [ 77.740877][ T8839] vfs_read+0x1f0/0x440 [ 77.746690][ T8839] ksys_read+0x14f/0x290 [ 77.752738][ T8839] __x64_sys_read+0x73/0xb0 [ 77.759077][ T8839] do_syscall_64+0xfd/0x6a0 [ 77.765144][ T8839] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 77.773067][ T8839] } [ 77.775581][ T8839] ... key at: [] __key.46560+0x0/0x40 [ 77.784060][ T8839] ... acquired at: [ 77.788111][ T8839] lock_acquire+0x190/0x410 [ 77.792897][ T8839] _raw_spin_lock+0x2f/0x40 [ 77.799167][ T8839] io_submit_one+0xefa/0x2ef0 [ 77.804221][ T8839] __x64_sys_io_submit+0x1bd/0x570 [ 77.809957][ T8839] do_syscall_64+0xfd/0x6a0 [ 77.814845][ T8839] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 77.820998][ T8839] [ 77.823313][ T8839] [ 77.823313][ T8839] stack backtrace: [ 77.829315][ T8839] CPU: 1 PID: 8839 Comm: syz-executor.0 Not tainted 5.2.0-rc6-next-20190628 #25 [ 77.839235][ T8839] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 77.849823][ T8839] Call Trace: [ 77.853235][ T8839] dump_stack+0x172/0x1f0 [ 77.857689][ T8839] check_irq_usage.cold+0x5b4/0x72e [ 77.862998][ T8839] ? check_usage_forwards+0x330/0x330 [ 77.868785][ T8839] ? check_path+0x26/0x40 [ 77.873380][ T8839] ? kasan_check_read+0x11/0x20 [ 77.878660][ T8839] ? check_noncircular+0x16a/0x3e0 [ 77.884393][ T8839] ? print_circular_bug+0x200/0x200 [ 77.889592][ T8839] ? __lockdep_reset_lock+0x450/0x450 [ 77.895309][ T8839] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 77.901664][ T8839] __lock_acquire+0x25bd/0x4c20 [ 77.906671][ T8839] ? __lock_acquire+0x25bd/0x4c20 [ 77.911928][ T8839] ? mark_held_locks+0xf0/0xf0 [ 77.917130][ T8839] ? trace_hardirqs_on+0x67/0x240 [ 77.922160][ T8839] ? kasan_check_read+0x11/0x20 [ 77.927406][ T8839] lock_acquire+0x190/0x410 [ 77.932267][ T8839] ? io_submit_one+0xefa/0x2ef0 [ 77.937318][ T8839] _raw_spin_lock+0x2f/0x40 [ 77.941935][ T8839] ? io_submit_one+0xefa/0x2ef0 [ 77.946803][ T8839] io_submit_one+0xefa/0x2ef0 [ 77.951730][ T8839] ? lookup_ioctx+0x1d7/0x830 [ 77.956817][ T8839] ? ioctx_alloc+0x1dc0/0x1dc0 [ 77.963439][ T8839] ? aio_setup_rw+0x180/0x180 [ 77.968348][ T8839] __x64_sys_io_submit+0x1bd/0x570 [ 77.973703][ T8839] ? __x64_sys_io_submit+0x1bd/0x570 [ 77.979100][ T8839] ? __ia32_sys_io_destroy+0x420/0x420 [ 77.984559][ T8839] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 77.990261][ T8839] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 77.995747][ T8839] ? do_syscall_64+0x26/0x6a0 [ 78.000708][ T8839] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 78.007303][ T8839] ? do_syscall_64+0x26/0x6a0 [ 78.012565][ T8839] ? lockdep_hardirqs_on+0x418/0x5d0 [ 78.017846][ T8839] do_syscall_64+0xfd/0x6a0 [ 78.022510][ T8839] ? do_syscall_64+0xfd/0x6a0 [ 78.027184][ T8839] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 78.033573][ T8839] RIP: 0033:0x459519 [ 78.037509][ T8839] Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 78.059434][ T8839] RSP: 002b:00007f1cc0632c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000d1 [ 78.068038][ T8839] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459519 [ 78.076214][ T8839] RDX: 0000000020000600 RSI: 0000000000000001 RDI: 00007f1cc0634000 [ 78.084205][ T8839] RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 [ 78.092642][ T8839] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1cc06336d4 [ 78.100617][ T8839] R13: 00000000004c0898 R14: 00000000004d3548 R15: 00000000ffffffff [ 78.192015][ T3879] kobject: 'loop0' (0000000035edc7e8): kobject_uevent_env [ 78.199723][ T3879] kobject: 'loop0' (0000000035edc7e8): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 79.133220][ T3879] kobject: 'loop0' (0000000035edc7e8): kobject_uevent_env [ 79.140552][ T3879] kobject: 'loop0' (0000000035edc7e8): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 80.081296][ T3879] kobject: 'loop0' (0000000035edc7e8): kobject_uevent_env [ 80.089122][ T3879] kobject: 'loop0' (0000000035edc7e8): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 80.972793][ T3879] kobject: 'loop0' (0000000035edc7e8): kobject_uevent_env [ 80.980199][ T3879] kobject: 'loop0' (0000000035edc7e8): fill_kobj_path: path = '/devices/virtual/block/loop0' 2019/06/29 19:27:50 executed programs: 10 [ 81.911998][ T3879] kobject: 'loop0' (0000000035edc7e8): kobject_uevent_env [ 81.919402][ T3879] kobject: 'loop0' (0000000035edc7e8): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 82.851789][ T3879] kobject: 'loop0' (0000000035edc7e8): kobject_uevent_env [ 82.859138][ T3879] kobject: 'loop0' (0000000035edc7e8): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 83.792021][ T3879] kobject: 'loop0' (0000000035edc7e8): kobject_uevent_env [ 83.799777][ T3879] kobject: 'loop0' (0000000035edc7e8): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 84.731988][ T3879] kobject: 'loop0' (0000000035edc7e8): kobject_uevent_env [ 84.739217][ T3879] kobject: 'loop0' (0000000035edc7e8): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 85.681802][ T3879] kobject: 'loop0' (0000000035edc7e8): kobject_uevent_env [ 85.689027][ T3879] kobject: 'loop0' (0000000035edc7e8): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 86.651992][ T3879] kobject: 'loop0' (0000000035edc7e8): kobject_uevent_env [ 86.659352][ T3879] kobject: 'loop0' (0000000035edc7e8): fill_kobj_path: path = '/devices/virtual/block/loop0'