[ 47.181711] audit: type=1800 audit(1561658648.360:30): pid=7741 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2490 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 52.523463] kauditd_printk_skb: 4 callbacks suppressed [ 52.523496] audit: type=1400 audit(1561658653.720:35): avc: denied { map } for pid=7916 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.132' (ECDSA) to the list of known hosts. [ 59.516424] audit: type=1400 audit(1561658660.710:36): avc: denied { map } for pid=7928 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2019/06/27 18:04:21 parsed 1 programs [ 60.481353] audit: type=1400 audit(1561658661.680:37): avc: denied { map } for pid=7928 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=67 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 2019/06/27 18:04:23 executed programs: 0 [ 62.595143] IPVS: ftp: loaded support on port[0] = 21 [ 62.663823] chnl_net:caif_netlink_parms(): no params data found [ 62.698555] bridge0: port 1(bridge_slave_0) entered blocking state [ 62.705525] bridge0: port 1(bridge_slave_0) entered disabled state [ 62.712973] device bridge_slave_0 entered promiscuous mode [ 62.720955] bridge0: port 2(bridge_slave_1) entered blocking state [ 62.727585] bridge0: port 2(bridge_slave_1) entered disabled state [ 62.734955] device bridge_slave_1 entered promiscuous mode [ 62.751150] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 62.760248] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 62.778023] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 62.785908] team0: Port device team_slave_0 added [ 62.791560] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 62.799030] team0: Port device team_slave_1 added [ 62.804843] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 62.812328] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 62.882694] device hsr_slave_0 entered promiscuous mode [ 62.950465] device hsr_slave_1 entered promiscuous mode [ 63.030732] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 63.037882] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 63.052599] bridge0: port 2(bridge_slave_1) entered blocking state [ 63.059181] bridge0: port 2(bridge_slave_1) entered forwarding state [ 63.066445] bridge0: port 1(bridge_slave_0) entered blocking state [ 63.072876] bridge0: port 1(bridge_slave_0) entered forwarding state [ 63.106731] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 63.114577] 8021q: adding VLAN 0 to HW filter on device bond0 [ 63.124009] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 63.133929] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 63.153691] bridge0: port 1(bridge_slave_0) entered disabled state [ 63.161850] bridge0: port 2(bridge_slave_1) entered disabled state [ 63.169302] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 63.181257] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 63.187468] 8021q: adding VLAN 0 to HW filter on device team0 [ 63.197226] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 63.205156] bridge0: port 1(bridge_slave_0) entered blocking state [ 63.211566] bridge0: port 1(bridge_slave_0) entered forwarding state [ 63.221481] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 63.229161] bridge0: port 2(bridge_slave_1) entered blocking state [ 63.235833] bridge0: port 2(bridge_slave_1) entered forwarding state [ 63.250612] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 63.265981] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 63.276565] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 63.288215] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 63.294962] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 63.302441] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 63.311089] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 63.318994] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 63.326809] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 63.339270] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 63.350606] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 63.361395] audit: type=1400 audit(1561658664.560:38): avc: denied { associate } for pid=7945 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 2019/06/27 18:04:29 executed programs: 5 2019/06/27 18:04:34 executed programs: 11 [ 78.107149] [ 78.109101] ===================================================== [ 78.115371] WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected [ 78.122460] 4.19.56 #28 Not tainted [ 78.126136] ----------------------------------------------------- [ 78.132513] syz-executor.0/8030 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire: [ 78.139858] 00000000106df067 (&ctx->fd_wqh){....}, at: io_submit_one+0xef2/0x2eb0 [ 78.147909] [ 78.147909] and this task is already holding: [ 78.154215] 00000000ddfab07f (&(&ctx->ctx_lock)->rlock){..-.}, at: io_submit_one+0xead/0x2eb0 [ 78.162912] which would create a new lock dependency: [ 78.168099] (&(&ctx->ctx_lock)->rlock){..-.} -> (&ctx->fd_wqh){....} [ 78.174702] [ 78.174702] but this new dependency connects a SOFTIRQ-irq-safe lock: [ 78.183035] (&(&ctx->ctx_lock)->rlock){..-.} [ 78.183049] [ 78.183049] ... which became SOFTIRQ-irq-safe at: [ 78.194261] lock_acquire+0x16f/0x3f0 [ 78.198310] _raw_spin_lock_irq+0x60/0x80 [ 78.202552] free_ioctx_users+0x2d/0x490 [ 78.206740] percpu_ref_switch_to_atomic_rcu+0x407/0x540 [ 78.212294] rcu_process_callbacks+0xba0/0x1a30 [ 78.217170] __do_softirq+0x25c/0x921 [ 78.221186] irq_exit+0x180/0x1d0 [ 78.224732] smp_apic_timer_interrupt+0x13b/0x550 [ 78.229932] apic_timer_interrupt+0xf/0x20 [ 78.234477] native_safe_halt+0xe/0x10 [ 78.238486] arch_cpu_idle+0xa/0x10 [ 78.242536] default_idle_call+0x36/0x90 [ 78.246693] do_idle+0x377/0x560 [ 78.250164] cpu_startup_entry+0xc8/0xe0 [ 78.254389] rest_init+0xf1/0xf6 [ 78.258053] start_kernel+0x88c/0x8c5 [ 78.261971] x86_64_start_reservations+0x29/0x2b [ 78.266829] x86_64_start_kernel+0x77/0x7b [ 78.271488] secondary_startup_64+0xa4/0xb0 [ 78.277143] [ 78.277143] to a SOFTIRQ-irq-unsafe lock: [ 78.282853] (&ctx->fault_pending_wqh){+.+.} [ 78.282866] [ 78.282866] ... which became SOFTIRQ-irq-unsafe at: [ 78.294027] ... [ 78.294052] lock_acquire+0x16f/0x3f0 [ 78.299824] _raw_spin_lock+0x2f/0x40 [ 78.303981] userfaultfd_release+0x4d6/0x720 [ 78.308492] __fput+0x2dd/0x8b0 [ 78.311862] ____fput+0x16/0x20 [ 78.315231] task_work_run+0x145/0x1c0 [ 78.319211] get_signal+0x1baa/0x1fc0 [ 78.323093] do_signal+0x95/0x1960 [ 78.326721] exit_to_usermode_loop+0x244/0x2c0 [ 78.331395] do_syscall_64+0x53d/0x620 [ 78.335361] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 78.340613] [ 78.340613] other info that might help us debug this: [ 78.340613] [ 78.349111] Chain exists of: [ 78.349111] &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh [ 78.349111] [ 78.361298] Possible interrupt unsafe locking scenario: [ 78.361298] [ 78.368220] CPU0 CPU1 [ 78.372873] ---- ---- [ 78.377616] lock(&ctx->fault_pending_wqh); [ 78.382022] local_irq_disable(); [ 78.388285] lock(&(&ctx->ctx_lock)->rlock); [ 78.395296] lock(&ctx->fd_wqh); [ 78.401311] [ 78.404057] lock(&(&ctx->ctx_lock)->rlock); [ 78.408722] [ 78.408722] *** DEADLOCK *** [ 78.408722] [ 78.414916] 1 lock held by syz-executor.0/8030: [ 78.419581] #0: 00000000ddfab07f (&(&ctx->ctx_lock)->rlock){..-.}, at: io_submit_one+0xead/0x2eb0 [ 78.428979] [ 78.428979] the dependencies between SOFTIRQ-irq-safe lock and the holding lock: [ 78.438394] -> (&(&ctx->ctx_lock)->rlock){..-.} ops: 16 { [ 78.443934] IN-SOFTIRQ-W at: [ 78.447208] lock_acquire+0x16f/0x3f0 [ 78.452755] _raw_spin_lock_irq+0x60/0x80 [ 78.458706] free_ioctx_users+0x2d/0x490 [ 78.464426] percpu_ref_switch_to_atomic_rcu+0x407/0x540 [ 78.471543] rcu_process_callbacks+0xba0/0x1a30 [ 78.478150] __do_softirq+0x25c/0x921 [ 78.483614] irq_exit+0x180/0x1d0 [ 78.488776] smp_apic_timer_interrupt+0x13b/0x550 [ 78.495374] apic_timer_interrupt+0xf/0x20 [ 78.501811] native_safe_halt+0xe/0x10 [ 78.507791] arch_cpu_idle+0xa/0x10 [ 78.513131] default_idle_call+0x36/0x90 [ 78.518860] do_idle+0x377/0x560 [ 78.524185] cpu_startup_entry+0xc8/0xe0 [ 78.529907] rest_init+0xf1/0xf6 [ 78.535241] start_kernel+0x88c/0x8c5 [ 78.541102] x86_64_start_reservations+0x29/0x2b [ 78.548189] x86_64_start_kernel+0x77/0x7b [ 78.554773] secondary_startup_64+0xa4/0xb0 [ 78.560971] INITIAL USE at: [ 78.564349] lock_acquire+0x16f/0x3f0 [ 78.569720] _raw_spin_lock_irq+0x60/0x80 [ 78.575450] free_ioctx_users+0x2d/0x490 [ 78.581257] percpu_ref_switch_to_atomic_rcu+0x407/0x540 [ 78.588510] rcu_process_callbacks+0xba0/0x1a30 [ 78.595085] __do_softirq+0x25c/0x921 [ 78.601297] irq_exit+0x180/0x1d0 [ 78.606332] smp_apic_timer_interrupt+0x13b/0x550 [ 78.612759] apic_timer_interrupt+0xf/0x20 [ 78.618564] native_safe_halt+0xe/0x10 [ 78.624308] arch_cpu_idle+0xa/0x10 [ 78.629501] default_idle_call+0x36/0x90 [ 78.635208] do_idle+0x377/0x560 [ 78.640284] cpu_startup_entry+0xc8/0xe0 [ 78.645965] rest_init+0xf1/0xf6 [ 78.650901] start_kernel+0x88c/0x8c5 [ 78.656267] x86_64_start_reservations+0x29/0x2b [ 78.662618] x86_64_start_kernel+0x77/0x7b [ 78.668563] secondary_startup_64+0xa4/0xb0 [ 78.674563] } [ 78.676389] ... key at: [] __key.50193+0x0/0x40 [ 78.683136] ... acquired at: [ 78.686238] lock_acquire+0x16f/0x3f0 [ 78.690229] _raw_spin_lock+0x2f/0x40 [ 78.694214] io_submit_one+0xef2/0x2eb0 [ 78.698710] __x64_sys_io_submit+0x1aa/0x520 [ 78.703301] do_syscall_64+0xfd/0x620 [ 78.707281] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 78.712768] [ 78.714385] [ 78.714385] the dependencies between the lock to be acquired [ 78.714391] and SOFTIRQ-irq-unsafe lock: [ 78.725816] -> (&ctx->fault_pending_wqh){+.+.} ops: 85 { [ 78.731397] HARDIRQ-ON-W at: [ 78.734782] lock_acquire+0x16f/0x3f0 [ 78.740410] _raw_spin_lock+0x2f/0x40 [ 78.746042] userfaultfd_release+0x4d6/0x720 [ 78.752571] __fput+0x2dd/0x8b0 [ 78.757684] ____fput+0x16/0x20 [ 78.762794] task_work_run+0x145/0x1c0 [ 78.768511] get_signal+0x1baa/0x1fc0 [ 78.774143] do_signal+0x95/0x1960 [ 78.779520] exit_to_usermode_loop+0x244/0x2c0 [ 78.786010] do_syscall_64+0x53d/0x620 [ 78.791734] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 78.798732] SOFTIRQ-ON-W at: [ 78.802101] lock_acquire+0x16f/0x3f0 [ 78.807870] _raw_spin_lock+0x2f/0x40 [ 78.813505] userfaultfd_release+0x4d6/0x720 [ 78.819744] __fput+0x2dd/0x8b0 [ 78.824855] ____fput+0x16/0x20 [ 78.830179] task_work_run+0x145/0x1c0 [ 78.835913] get_signal+0x1baa/0x1fc0 [ 78.841692] do_signal+0x95/0x1960 [ 78.847065] exit_to_usermode_loop+0x244/0x2c0 [ 78.853481] do_syscall_64+0x53d/0x620 [ 78.859188] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 78.866302] INITIAL USE at: [ 78.869575] lock_acquire+0x16f/0x3f0 [ 78.875116] _raw_spin_lock+0x2f/0x40 [ 78.880661] userfaultfd_read+0x394/0x18c0 [ 78.886627] __vfs_read+0x114/0x800 [ 78.892021] vfs_read+0x194/0x3d0 [ 78.897217] ksys_read+0x14f/0x2d0 [ 78.902848] __x64_sys_read+0x73/0xb0 [ 78.908622] do_syscall_64+0xfd/0x620 [ 78.914188] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 78.921107] } [ 78.923192] ... key at: [] __key.43727+0x0/0x40 [ 78.930044] ... acquired at: [ 78.933252] _raw_spin_lock+0x2f/0x40 [ 78.937244] userfaultfd_read+0x394/0x18c0 [ 78.941651] __vfs_read+0x114/0x800 [ 78.945447] vfs_read+0x194/0x3d0 [ 78.949111] ksys_read+0x14f/0x2d0 [ 78.952822] __x64_sys_read+0x73/0xb0 [ 78.956801] do_syscall_64+0xfd/0x620 [ 78.960903] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 78.966390] [ 78.968002] -> (&ctx->fd_wqh){....} ops: 87 { [ 78.972496] INITIAL USE at: [ 78.975729] lock_acquire+0x16f/0x3f0 [ 78.981217] _raw_spin_lock_irq+0x60/0x80 [ 78.987030] userfaultfd_read+0x262/0x18c0 [ 78.992838] __vfs_read+0x114/0x800 [ 78.998076] vfs_read+0x194/0x3d0 [ 79.003620] ksys_read+0x14f/0x2d0 [ 79.008912] __x64_sys_read+0x73/0xb0 [ 79.014281] do_syscall_64+0xfd/0x620 [ 79.019699] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 79.026826] } [ 79.028635] ... key at: [] __key.43730+0x0/0x40 [ 79.035517] ... acquired at: [ 79.038642] lock_acquire+0x16f/0x3f0 [ 79.042836] _raw_spin_lock+0x2f/0x40 [ 79.047094] io_submit_one+0xef2/0x2eb0 [ 79.051323] __x64_sys_io_submit+0x1aa/0x520 [ 79.056105] do_syscall_64+0xfd/0x620 [ 79.060104] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 79.065466] [ 79.067075] [ 79.067075] stack backtrace: [ 79.071652] CPU: 0 PID: 8030 Comm: syz-executor.0 Not tainted 4.19.56 #28 [ 79.078659] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 79.088117] Call Trace: [ 79.090825] dump_stack+0x172/0x1f0 [ 79.094698] check_usage.cold+0x611/0x946 [ 79.099045] ? check_usage_forwards+0x340/0x340 [ 79.104099] ? unwind_get_return_address+0x61/0xa0 [ 79.109047] ? check_noncircular+0x20/0x20 [ 79.113507] ? check_noncircular+0x20/0x20 [ 79.117761] __lock_acquire+0x1ee4/0x48f0 [ 79.121919] ? __lock_acquire+0x1ee4/0x48f0 [ 79.126251] ? mark_held_locks+0x100/0x100 [ 79.130682] ? __debug_object_init+0x190/0xc30 [ 79.135317] ? mark_held_locks+0x100/0x100 [ 79.139560] ? add_wait_queue+0x112/0x170 [ 79.143762] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 79.149069] ? add_wait_queue+0x112/0x170 [ 79.153361] ? lockdep_hardirqs_on+0x415/0x5d0 [ 79.158045] ? trace_hardirqs_on+0x67/0x220 [ 79.162387] ? kasan_check_read+0x11/0x20 [ 79.166621] lock_acquire+0x16f/0x3f0 [ 79.170521] ? io_submit_one+0xef2/0x2eb0 [ 79.174768] _raw_spin_lock+0x2f/0x40 [ 79.178589] ? io_submit_one+0xef2/0x2eb0 [ 79.182757] io_submit_one+0xef2/0x2eb0 [ 79.186752] ? ioctx_alloc+0x1db0/0x1db0 [ 79.191290] ? __might_fault+0x12b/0x1e0 [ 79.195347] ? aio_setup_rw+0x180/0x180 [ 79.199380] __x64_sys_io_submit+0x1aa/0x520 [ 79.203795] ? __x64_sys_io_submit+0x1aa/0x520 [ 79.208381] ? __ia32_sys_io_destroy+0x420/0x420 [ 79.213155] ? do_syscall_64+0x26/0x620 [ 79.217370] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 79.222747] ? do_syscall_64+0x26/0x620 [ 79.226729] ? lockdep_hardirqs_on+0x415/0x5d0 [ 79.231311] do_syscall_64+0xfd/0x620 [ 79.235117] ? do_syscall_64+0xfd/0x620 [ 79.239144] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 79.244335] RIP: 0033:0x459519 [ 79.247625] Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 79.266586] RSP: 002b:00007f76e6e80c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000d1 [ 79.274742] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459519 [ 79.282086] RDX: 0000000020000600 RSI: 0000000000000001 RDI: 00007f76e6e82000 [ 79.289367] RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 [ 79.296687] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f76e6e816d4 [ 79.303966] R13: 00000000004c0898 R14: 00000000004d3548 R15: 00000000ffffffff 2019/06/27 18:04:40 executed programs: 16 [ 79.414075] kobject: 'loop0' (00000000fcf13572): kobject_uevent_env [ 79.420827] kobject: 'loop0' (00000000fcf13572): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 80.353109] kobject: 'loop0' (00000000fcf13572): kobject_uevent_env [ 80.359599] kobject: 'loop0' (00000000fcf13572): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 81.283575] kobject: 'loop0' (00000000fcf13572): kobject_uevent_env [ 81.290150] kobject: 'loop0' (00000000fcf13572): fill_kobj_path: path = '/devices/virtual/block/loop0'