[ 39.550886] audit: type=1800 audit(1566669937.602:32): pid=7439 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2450 res=0 Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 43.930777] kauditd_printk_skb: 2 callbacks suppressed [ 43.930792] audit: type=1400 audit(1566669942.072:35): avc: denied { map } for pid=7612 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.10.16' (ECDSA) to the list of known hosts. executing program [ 50.470430] audit: type=1400 audit(1566669948.612:36): avc: denied { map } for pid=7624 comm="syz-executor316" path="/root/syz-executor316058378" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 50.517757] [ 50.519628] ======================================================== [ 50.527266] WARNING: possible irq lock inversion dependency detected [ 50.534441] 4.19.67 #41 Not tainted [ 50.538064] -------------------------------------------------------- [ 50.545336] swapper/1/0 just changed the state of lock: [ 50.550871] 00000000e5c8d103 (&(&ctx->ctx_lock)->rlock){..-.}, at: free_ioctx_users+0x2d/0x490 [ 50.559987] but this lock took another, SOFTIRQ-unsafe lock in the past: [ 50.566901] (&fiq->waitq){+.+.} [ 50.566912] [ 50.566912] [ 50.566912] and interrupts could create inverse lock ordering between them. [ 50.566912] [ 50.582749] [ 50.582749] other info that might help us debug this: [ 50.589528] Possible interrupt unsafe locking scenario: [ 50.589528] [ 50.597279] CPU0 CPU1 [ 50.602235] ---- ---- [ 50.607014] lock(&fiq->waitq); [ 50.610381] local_irq_disable(); [ 50.616595] lock(&(&ctx->ctx_lock)->rlock); [ 50.624121] lock(&fiq->waitq); [ 50.630010] [ 50.632763] lock(&(&ctx->ctx_lock)->rlock); [ 50.637416] [ 50.637416] *** DEADLOCK *** [ 50.637416] [ 50.643810] 2 locks held by swapper/1/0: [ 50.648192] #0: 000000003ef6e830 (rcu_callback){....}, at: rcu_process_callbacks+0xc79/0x1a30 [ 50.657224] #1: 000000002be29122 (rcu_read_lock_sched){....}, at: percpu_ref_switch_to_atomic_rcu+0x1ca/0x540 [ 50.667689] [ 50.667689] the shortest dependencies between 2nd lock and 1st lock: [ 50.675867] -> (&fiq->waitq){+.+.} ops: 4 { [ 50.680445] HARDIRQ-ON-W at: [ 50.683825] lock_acquire+0x16f/0x3f0 [ 50.689487] _raw_spin_lock+0x2f/0x40 [ 50.695912] flush_bg_queue+0x1f3/0x3d0 [ 50.701993] fuse_request_send_background_locked+0x26d/0x4e0 [ 50.711298] fuse_request_send_background+0x12b/0x180 [ 50.718882] cuse_channel_open+0x5ba/0x830 [ 50.725284] misc_open+0x395/0x4c0 [ 50.731047] chrdev_open+0x245/0x6b0 [ 50.737559] do_dentry_open+0x4c3/0x1210 [ 50.743672] vfs_open+0xa0/0xd0 [ 50.748804] path_openat+0x10d7/0x45e0 [ 50.754991] do_filp_open+0x1a1/0x280 [ 50.761233] do_sys_open+0x3fe/0x550 [ 50.767007] __x64_sys_openat+0x9d/0x100 [ 50.773424] do_syscall_64+0xfd/0x620 [ 50.779897] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.787874] SOFTIRQ-ON-W at: [ 50.791396] lock_acquire+0x16f/0x3f0 [ 50.797442] _raw_spin_lock+0x2f/0x40 [ 50.803328] flush_bg_queue+0x1f3/0x3d0 [ 50.809113] fuse_request_send_background_locked+0x26d/0x4e0 [ 50.816955] fuse_request_send_background+0x12b/0x180 [ 50.824047] cuse_channel_open+0x5ba/0x830 [ 50.830276] misc_open+0x395/0x4c0 [ 50.835639] chrdev_open+0x245/0x6b0 [ 50.841168] do_dentry_open+0x4c3/0x1210 [ 50.847156] vfs_open+0xa0/0xd0 [ 50.852551] path_openat+0x10d7/0x45e0 [ 50.858252] do_filp_open+0x1a1/0x280 [ 50.863943] do_sys_open+0x3fe/0x550 [ 50.869734] __x64_sys_openat+0x9d/0x100 [ 50.875856] do_syscall_64+0xfd/0x620 [ 50.882173] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.889172] INITIAL USE at: [ 50.892450] lock_acquire+0x16f/0x3f0 [ 50.897998] _raw_spin_lock+0x2f/0x40 [ 50.903531] flush_bg_queue+0x1f3/0x3d0 [ 50.909232] fuse_request_send_background_locked+0x26d/0x4e0 [ 50.916784] fuse_request_send_background+0x12b/0x180 [ 50.923722] cuse_channel_open+0x5ba/0x830 [ 50.929686] misc_open+0x395/0x4c0 [ 50.935143] chrdev_open+0x245/0x6b0 [ 50.940700] do_dentry_open+0x4c3/0x1210 [ 50.946929] vfs_open+0xa0/0xd0 [ 50.952056] path_openat+0x10d7/0x45e0 [ 50.958361] do_filp_open+0x1a1/0x280 [ 50.963964] do_sys_open+0x3fe/0x550 [ 50.969438] __x64_sys_openat+0x9d/0x100 [ 50.975325] do_syscall_64+0xfd/0x620 [ 50.980908] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.988138] } [ 50.990160] ... key at: [] __key.42212+0x0/0x40 [ 50.996982] ... acquired at: [ 51.000281] _raw_spin_lock+0x2f/0x40 [ 51.004511] io_submit_one+0xef2/0x2eb0 [ 51.008831] __x64_sys_io_submit+0x1aa/0x520 [ 51.013408] do_syscall_64+0xfd/0x620 [ 51.017491] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 51.022841] [ 51.024965] -> (&(&ctx->ctx_lock)->rlock){..-.} ops: 2 { [ 51.030688] IN-SOFTIRQ-W at: [ 51.034061] lock_acquire+0x16f/0x3f0 [ 51.039505] _raw_spin_lock_irq+0x60/0x80 [ 51.045387] free_ioctx_users+0x2d/0x490 [ 51.051182] percpu_ref_switch_to_atomic_rcu+0x407/0x540 [ 51.066359] rcu_process_callbacks+0xba0/0x1a30 [ 51.072982] __do_softirq+0x25c/0x921 [ 51.078621] irq_exit+0x180/0x1d0 [ 51.083715] smp_apic_timer_interrupt+0x13b/0x550 [ 51.090197] apic_timer_interrupt+0xf/0x20 [ 51.096095] native_safe_halt+0xe/0x10 [ 51.101746] arch_cpu_idle+0xa/0x10 [ 51.107222] default_idle_call+0x36/0x90 [ 51.113021] do_idle+0x377/0x560 [ 51.118029] cpu_startup_entry+0xc8/0xe0 [ 51.123732] start_secondary+0x3e8/0x5b0 [ 51.129587] secondary_startup_64+0xa4/0xb0 [ 51.135562] INITIAL USE at: [ 51.138761] lock_acquire+0x16f/0x3f0 [ 51.144226] _raw_spin_lock_irq+0x60/0x80 [ 51.150141] io_submit_one+0xead/0x2eb0 [ 51.155790] __x64_sys_io_submit+0x1aa/0x520 [ 51.161977] do_syscall_64+0xfd/0x620 [ 51.167341] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 51.174258] } [ 51.176521] ... key at: [] __key.50212+0x0/0x40 [ 51.183259] ... acquired at: [ 51.186386] mark_lock+0x420/0x1370 [ 51.190295] __lock_acquire+0xc62/0x49c0 [ 51.194878] lock_acquire+0x16f/0x3f0 [ 51.198955] _raw_spin_lock_irq+0x60/0x80 [ 51.203267] free_ioctx_users+0x2d/0x490 [ 51.207490] percpu_ref_switch_to_atomic_rcu+0x407/0x540 [ 51.213223] rcu_process_callbacks+0xba0/0x1a30 [ 51.218059] __do_softirq+0x25c/0x921 [ 51.222412] irq_exit+0x180/0x1d0 [ 51.226048] smp_apic_timer_interrupt+0x13b/0x550 [ 51.231143] apic_timer_interrupt+0xf/0x20 [ 51.235656] native_safe_halt+0xe/0x10 [ 51.239709] arch_cpu_idle+0xa/0x10 [ 51.243691] default_idle_call+0x36/0x90 [ 51.247926] do_idle+0x377/0x560 [ 51.251632] cpu_startup_entry+0xc8/0xe0 [ 51.255862] start_secondary+0x3e8/0x5b0 [ 51.260107] secondary_startup_64+0xa4/0xb0 [ 51.265078] [ 51.266724] [ 51.266724] stack backtrace: [ 51.271304] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.19.67 #41 [ 51.277973] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.288340] Call Trace: [ 51.291249] [ 51.293491] dump_stack+0x172/0x1f0 [ 51.297889] print_irq_inversion_bug.part.0+0x2c0/0x2cd [ 51.303850] check_usage_forwards.cold+0x20/0x29 [ 51.308613] ? check_usage_backwards+0x340/0x340 [ 51.313709] ? save_stack_trace+0x1a/0x20 [ 51.318080] ? save_trace+0xe0/0x290 [ 51.322068] mark_lock+0x420/0x1370 [ 51.325708] ? check_usage_backwards+0x340/0x340 [ 51.330549] __lock_acquire+0xc62/0x49c0 [ 51.334602] ? mark_held_locks+0x100/0x100 [ 51.339029] ? mark_held_locks+0x100/0x100 [ 51.343282] ? __wake_up_common_lock+0xfe/0x190 [ 51.348159] ? mark_held_locks+0x100/0x100 [ 51.352394] ? __wake_up_common_lock+0xfe/0x190 [ 51.357094] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 51.362552] ? lockdep_hardirqs_on+0x19b/0x5d0 [ 51.367222] ? trace_hardirqs_on+0x67/0x220 [ 51.371717] ? kasan_check_read+0x11/0x20 [ 51.376060] lock_acquire+0x16f/0x3f0 [ 51.379943] ? free_ioctx_users+0x2d/0x490 [ 51.384183] _raw_spin_lock_irq+0x60/0x80 [ 51.388420] ? free_ioctx_users+0x2d/0x490 [ 51.392887] free_ioctx_users+0x2d/0x490 [ 51.397109] ? rcu_dynticks_curr_cpu_in_eqs+0x51/0xb0 [ 51.402451] percpu_ref_switch_to_atomic_rcu+0x407/0x540 [ 51.408085] ? percpu_ref_exit+0xd0/0xd0 [ 51.412406] rcu_process_callbacks+0xba0/0x1a30 [ 51.417213] ? __rcu_read_unlock+0x170/0x170 [ 51.421717] __do_softirq+0x25c/0x921 [ 51.425783] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 51.431407] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 51.437266] irq_exit+0x180/0x1d0 [ 51.440779] smp_apic_timer_interrupt+0x13b/0x550 [ 51.445743] apic_timer_interrupt+0xf/0x20 [ 51.450014] [ 51.452252] RIP: 0010:native_safe_halt+0xe/0x10 [ 51.456910] Code: ff ff 48 89 df e8 c2 47 ae fa eb 82 e9 07 00 00 00 0f 00 2d 84 2e 54 00 f4 c3 66 90 e9 07 00 00 00 0f 00 2d 74 2e 54 00 fb f4 90 55 48 89 e5 41 57 41 56 41 55 41 54 53 e8 7e 2b 66 fa e8 99 [ 51.476342] RSP: 0018:ffff8880aa27fd00 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff13 [ 51.484042] RAX: 1ffffffff10e489c RBX: ffff8880aa2703c0 RCX: 0000000000000000 [ 51.491399] RDX: dffffc0000000000 RSI: 0000000000000001 RDI: ffff8880aa270c3c [ 51.498667] RBP: ffff8880aa27fd30 R08: ffff8880aa2703c0 R09: 0000000000000000 [ 51.506150] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001 [ 51.513419] R13: ffffffff887244d0 R14: 0000000000000001 R15: 0000000000000000 [ 51.520926] ? default_idle+0x4e/0x320 [ 51.524804] arch_cpu_idle+0xa/0x10 [ 51.528576] default_idle_call+0x36/0x90 [ 51.532635] do_idle+0x377/0x560 [ 51.536154] ? arch_cpu_idle_exit+0x80/0x80 [ 51.540555] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 51.545665] ? complete+0x61/0x80 [ 51.549108] cpu_startup_entry+0xc8/0xe0 [ 51.553289] ? cpu_in_idle+0x20/0x20 [ 51.557344] ? setup_APIC_timer+0x1aa/0x200 [ 51.561765] start_secondary+0x3e8/0x5b0 [ 51.565994] ? set_cpu_sibling_map+0x1860/0x1860 [ 51.571288] secondary_startup_64+0xa4/0x