Warning: Permanently added '10.128.10.1' (ECDSA) to the list of known hosts. executing program [ 51.326717] audit: type=1400 audit(1560751472.648:36): avc: denied { map } for pid=7600 comm="syz-executor242" path="/root/syz-executor242166125" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 51.612814] [ 51.615120] ======================================================== [ 51.622479] WARNING: possible irq lock inversion dependency detected [ 51.629447] 4.19.51 #23 Not tainted [ 51.633323] -------------------------------------------------------- [ 51.639989] syz-executor242/7602 just changed the state of lock: [ 51.646346] 0000000085faf78b (&ctx->fault_pending_wqh){+.+.}, at: userfaultfd_release+0x4d6/0x720 [ 51.655458] but this lock was taken by another, SOFTIRQ-safe lock in the past: [ 51.663047] (&(&ctx->ctx_lock)->rlock){..-.} [ 51.663058] [ 51.663058] [ 51.663058] and interrupts could create inverse lock ordering between them. [ 51.663058] [ 51.679460] [ 51.679460] other info that might help us debug this: [ 51.686384] Chain exists of: [ 51.686384] &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh [ 51.686384] [ 51.698975] Possible interrupt unsafe locking scenario: [ 51.698975] [ 51.706207] CPU0 CPU1 [ 51.711042] ---- ---- [ 51.715857] lock(&ctx->fault_pending_wqh); [ 51.720963] local_irq_disable(); [ 51.727190] lock(&(&ctx->ctx_lock)->rlock); [ 51.734290] lock(&ctx->fd_wqh); [ 51.740336] [ 51.743182] lock(&(&ctx->ctx_lock)->rlock); [ 51.747982] [ 51.747982] *** DEADLOCK *** [ 51.747982] [ 51.754145] no locks held by syz-executor242/7602. [ 51.759235] [ 51.759235] the shortest dependencies between 2nd lock and 1st lock: [ 51.767374] -> (&(&ctx->ctx_lock)->rlock){..-.} ops: 2 { [ 51.773000] IN-SOFTIRQ-W at: [ 51.776556] lock_acquire+0x16f/0x3f0 [ 51.782457] _raw_spin_lock_irq+0x60/0x80 [ 51.789115] free_ioctx_users+0x2d/0x490 [ 51.795378] percpu_ref_switch_to_atomic_rcu+0x407/0x540 [ 51.802988] rcu_process_callbacks+0xba0/0x1a30 [ 51.809744] __do_softirq+0x25c/0x921 [ 51.815868] irq_exit+0x180/0x1d0 [ 51.821586] smp_apic_timer_interrupt+0x13b/0x550 [ 51.828781] apic_timer_interrupt+0xf/0x20 [ 51.835269] native_safe_halt+0xe/0x10 [ 51.841321] arch_cpu_idle+0xa/0x10 [ 51.847152] default_idle_call+0x36/0x90 [ 51.853288] do_idle+0x377/0x560 [ 51.858732] cpu_startup_entry+0xc8/0xe0 [ 51.865172] rest_init+0xf1/0xf6 [ 51.870522] start_kernel+0x88c/0x8c5 [ 51.877088] x86_64_start_reservations+0x29/0x2b [ 51.884043] x86_64_start_kernel+0x77/0x7b [ 51.890898] secondary_startup_64+0xa4/0xb0 [ 51.897500] INITIAL USE at: [ 51.901046] lock_acquire+0x16f/0x3f0 [ 51.906767] _raw_spin_lock_irq+0x60/0x80 [ 51.913068] io_submit_one+0xead/0x2eb0 [ 51.918996] __x64_sys_io_submit+0x1aa/0x520 [ 51.925550] do_syscall_64+0xfd/0x620 [ 51.931572] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 51.938974] } [ 51.940952] ... key at: [] __key.50192+0x0/0x40 [ 51.948501] ... acquired at: [ 51.951776] _raw_spin_lock+0x2f/0x40 [ 51.956101] io_submit_one+0xef2/0x2eb0 [ 51.960449] __x64_sys_io_submit+0x1aa/0x520 [ 51.965311] do_syscall_64+0xfd/0x620 [ 51.969485] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 51.975387] [ 51.977182] -> (&ctx->fd_wqh){....} ops: 4 { [ 51.981777] INITIAL USE at: [ 51.985089] lock_acquire+0x16f/0x3f0 [ 51.990716] _raw_spin_lock_irq+0x60/0x80 [ 51.996602] userfaultfd_read+0x262/0x18c0 [ 52.002659] __vfs_read+0x114/0x800 [ 52.008105] vfs_read+0x194/0x3d0 [ 52.013468] ksys_read+0x14f/0x2d0 [ 52.019012] __x64_sys_read+0x73/0xb0 [ 52.024637] do_syscall_64+0xfd/0x620 [ 52.030384] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.037545] } [ 52.039430] ... key at: [] __key.43729+0x0/0x40 [ 52.046688] ... acquired at: [ 52.049877] _raw_spin_lock+0x2f/0x40 [ 52.053932] userfaultfd_read+0x394/0x18c0 [ 52.058507] __vfs_read+0x114/0x800 [ 52.062482] vfs_read+0x194/0x3d0 [ 52.066465] ksys_read+0x14f/0x2d0 [ 52.070261] __x64_sys_read+0x73/0xb0 [ 52.074318] do_syscall_64+0xfd/0x620 [ 52.078694] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.084055] [ 52.085663] -> (&ctx->fault_pending_wqh){+.+.} ops: 3 { [ 52.091139] HARDIRQ-ON-W at: [ 52.094413] lock_acquire+0x16f/0x3f0 [ 52.099857] _raw_spin_lock+0x2f/0x40 [ 52.105644] userfaultfd_release+0x4d6/0x720 [ 52.112006] __fput+0x2dd/0x8b0 [ 52.116934] ____fput+0x16/0x20 [ 52.121884] task_work_run+0x145/0x1c0 [ 52.127719] do_exit+0x933/0x2fa0 [ 52.133070] do_group_exit+0x135/0x370 [ 52.138865] get_signal+0x3ec/0x1fc0 [ 52.144681] do_signal+0x95/0x1960 [ 52.150186] exit_to_usermode_loop+0x244/0x2c0 [ 52.156420] do_syscall_64+0x53d/0x620 [ 52.162224] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.169252] SOFTIRQ-ON-W at: [ 52.173116] lock_acquire+0x16f/0x3f0 [ 52.178661] _raw_spin_lock+0x2f/0x40 [ 52.184290] userfaultfd_release+0x4d6/0x720 [ 52.190424] __fput+0x2dd/0x8b0 [ 52.195358] ____fput+0x16/0x20 [ 52.200396] task_work_run+0x145/0x1c0 [ 52.206105] do_exit+0x933/0x2fa0 [ 52.211297] do_group_exit+0x135/0x370 [ 52.216979] get_signal+0x3ec/0x1fc0 [ 52.222532] do_signal+0x95/0x1960 [ 52.228109] exit_to_usermode_loop+0x244/0x2c0 [ 52.234843] do_syscall_64+0x53d/0x620 [ 52.240558] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.247550] INITIAL USE at: [ 52.251034] lock_acquire+0x16f/0x3f0 [ 52.256477] _raw_spin_lock+0x2f/0x40 [ 52.262121] userfaultfd_read+0x394/0x18c0 [ 52.267994] __vfs_read+0x114/0x800 [ 52.273189] vfs_read+0x194/0x3d0 [ 52.278481] ksys_read+0x14f/0x2d0 [ 52.283686] __x64_sys_read+0x73/0xb0 [ 52.289383] do_syscall_64+0xfd/0x620 [ 52.294847] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.301844] } [ 52.303654] ... key at: [] __key.43726+0x0/0x40 [ 52.310543] ... acquired at: [ 52.313727] mark_lock+0x420/0x1370 [ 52.317611] __lock_acquire+0x6b5/0x48f0 [ 52.322111] lock_acquire+0x16f/0x3f0 [ 52.326399] _raw_spin_lock+0x2f/0x40 [ 52.330462] userfaultfd_release+0x4d6/0x720 [ 52.335208] __fput+0x2dd/0x8b0 [ 52.339005] ____fput+0x16/0x20 [ 52.342555] task_work_run+0x145/0x1c0 [ 52.346725] do_exit+0x933/0x2fa0 [ 52.350468] do_group_exit+0x135/0x370 [ 52.354616] get_signal+0x3ec/0x1fc0 [ 52.358493] do_signal+0x95/0x1960 [ 52.362485] exit_to_usermode_loop+0x244/0x2c0 [ 52.367524] do_syscall_64+0x53d/0x620 [ 52.371851] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.377285] [ 52.379011] [ 52.379011] stack backtrace: [ 52.383608] CPU: 0 PID: 7602 Comm: syz-executor242 Not tainted 4.19.51 #23 [ 52.390879] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.400533] Call Trace: [ 52.403319] dump_stack+0x172/0x1f0 [ 52.407438] print_irq_inversion_bug.part.0+0x2c0/0x2cd [ 52.413080] check_usage_backwards.cold+0x1d/0x26 [ 52.418307] ? print_shortest_lock_dependencies+0x90/0x90 [ 52.424125] ? save_stack_trace+0x1a/0x20 [ 52.428536] ? save_trace+0xe0/0x290 [ 52.432510] mark_lock+0x420/0x1370 [ 52.436561] ? print_shortest_lock_dependencies+0x90/0x90 [ 52.442395] __lock_acquire+0x6b5/0x48f0 [ 52.446920] ? is_bpf_text_address+0xd3/0x170 [ 52.451779] ? kernel_text_address+0x73/0xf0 [ 52.456287] ? mark_held_locks+0x100/0x100 [ 52.460703] ? __lock_acquire+0x6eb/0x48f0 [ 52.465074] ? __lock_acquire+0x6eb/0x48f0 [ 52.469491] ? free_fs_struct+0x4f/0x70 [ 52.473568] ? do_exit+0x902/0x2fa0 [ 52.477444] lock_acquire+0x16f/0x3f0 [ 52.481343] ? userfaultfd_release+0x4d6/0x720 [ 52.486199] _raw_spin_lock+0x2f/0x40 [ 52.490417] ? userfaultfd_release+0x4d6/0x720 [ 52.495072] userfaultfd_release+0x4d6/0x720 [ 52.499709] ? userfaultfd_ctx_get+0x1a0/0x1a0 [ 52.504472] ? ___might_sleep+0x163/0x280 [ 52.509054] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 52.514773] ? ima_file_free+0xc9/0x4a0 [ 52.518854] ? userfaultfd_ctx_get+0x1a0/0x1a0 [ 52.523617] __fput+0x2dd/0x8b0 [ 52.527146] ____fput+0x16/0x20 [ 52.530678] task_work_run+0x145/0x1c0 [ 52.534649] do_exit+0x933/0x2fa0 [ 52.538192] ? get_signal+0x384/0x1fc0 [ 52.542074] ? mm_update_next_owner+0x660/0x660 [ 52.546733] ? _raw_spin_unlock_irq+0x28/0x90 [ 52.551364] ? get_signal+0x384/0x1fc0 [ 52.555239] ? _raw_spin_unlock_irq+0x28/0x90 [ 52.559815] do_group_exit+0x135/0x370 [ 52.563802] get_signal+0x3ec/0x1fc0 [ 52.567681] ? mark_held_locks+0x100/0x100 [ 52.572268] do_signal+0x95/0x1960 [ 52.575805] ? __x64_sys_io_submit+0x2e8/0x520 [ 52.580515] ? setup_sigcontext+0x7d0/0x7d0 [ 52.584835] ? lock_downgrade+0x810/0x810 [ 52.590235] ? kasan_check_read+0x11/0x20 [ 52.594492] ? __x64_sys_futex+0x40d/0x590 [ 52.599161] ? exit_to_usermode_loop+0x43/0x2c0 [ 52.603823] ? do_syscall_64+0x53d/0x620 [ 52.608049] ? exit_to_usermode_loop+0x43/0x2c0 [ 52.612719] ? lockdep_hardirqs_on+0x415/0x5d0 [ 52.617300] ? trace_hardirqs_on+0x67/0x220 [ 52.621734] exit_to_usermode_loop+0x244/0x2c0 [ 52.626317] do_syscall_64+0x53d/0x620 [ 52.630482] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.636123] RIP: 0033:0x4458f9 [ 52.639486] Code: Bad RIP value. [ 52.642848] RSP: 002b:00007fa4e3bf6db8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 52.650999] RAX: fffffffffffffe00 RBX: 00000000006dac58 RCX: 00000000004458f9 [ 52.658363] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dac58 [ 52.665823] RBP: 00