[ 48.195255][ T26] audit: type=1800 audit(1554225556.052:30): pid=7968 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 53.303575][ T26] kauditd_printk_skb: 4 callbacks suppressed [ 53.303590][ T26] audit: type=1400 audit(1554225561.192:35): avc: denied { map } for pid=8144 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.10.63' (ECDSA) to the list of known hosts. executing program [ 59.839641][ T26] audit: type=1400 audit(1554225567.732:36): avc: denied { map } for pid=8156 comm="syz-executor293" path="/root/syz-executor293063623" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 60.106627][ T8158] [ 60.108988][ T8158] ======================================================== [ 60.116167][ T8158] WARNING: possible irq lock inversion dependency detected [ 60.123352][ T8158] 5.1.0-rc3+ #48 Not tainted [ 60.127928][ T8158] -------------------------------------------------------- [ 60.135116][ T8158] syz-executor293/8158 just changed the state of lock: [ 60.141943][ T8158] 000000008228862b (&ctx->fault_pending_wqh){+.+.}, at: userfaultfd_release+0x48e/0x6d0 [ 60.151645][ T8158] but this lock was taken by another, SOFTIRQ-safe lock in the past: [ 60.159673][ T8158] (&(&ctx->ctx_lock)->rlock){..-.} [ 60.159679][ T8158] [ 60.159679][ T8158] [ 60.159679][ T8158] and interrupts could create inverse lock ordering between them. [ 60.159679][ T8158] [ 60.179154][ T8158] [ 60.179154][ T8158] other info that might help us debug this: [ 60.187203][ T8158] Chain exists of: [ 60.187203][ T8158] &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh [ 60.187203][ T8158] [ 60.201408][ T8158] Possible interrupt unsafe locking scenario: [ 60.201408][ T8158] [ 60.209735][ T8158] CPU0 CPU1 [ 60.215079][ T8158] ---- ---- [ 60.220431][ T8158] lock(&ctx->fault_pending_wqh); [ 60.225518][ T8158] local_irq_disable(); [ 60.232246][ T8158] lock(&(&ctx->ctx_lock)->rlock); [ 60.239938][ T8158] lock(&ctx->fd_wqh); [ 60.246594][ T8158] [ 60.250021][ T8158] lock(&(&ctx->ctx_lock)->rlock); [ 60.255365][ T8158] [ 60.255365][ T8158] *** DEADLOCK *** [ 60.255365][ T8158] [ 60.263488][ T8158] no locks held by syz-executor293/8158. [ 60.269142][ T8158] [ 60.269142][ T8158] the shortest dependencies between 2nd lock and 1st lock: [ 60.278487][ T8158] -> (&(&ctx->ctx_lock)->rlock){..-.} { [ 60.284180][ T8158] IN-SOFTIRQ-W at: [ 60.288318][ T8158] lock_acquire+0x16f/0x3f0 [ 60.294822][ T8158] _raw_spin_lock_irq+0x60/0x80 [ 60.301649][ T8158] free_ioctx_users+0x2d/0x4a0 [ 60.308385][ T8158] percpu_ref_switch_to_atomic_rcu+0x3e7/0x520 [ 60.316515][ T8158] rcu_core+0x928/0x1390 [ 60.322730][ T8158] __do_softirq+0x266/0x95a [ 60.329223][ T8158] irq_exit+0x180/0x1d0 [ 60.335371][ T8158] smp_apic_timer_interrupt+0x14a/0x570 [ 60.342909][ T8158] apic_timer_interrupt+0xf/0x20 [ 60.349831][ T8158] native_safe_halt+0x2/0x10 [ 60.356411][ T8158] arch_cpu_idle+0x10/0x20 [ 60.362811][ T8158] default_idle_call+0x36/0x90 [ 60.369548][ T8158] do_idle+0x386/0x570 [ 60.375588][ T8158] cpu_startup_entry+0x1b/0x20 [ 60.382321][ T8158] rest_init+0x245/0x37b [ 60.388551][ T8158] arch_call_rest_init+0xe/0x1b [ 60.395373][ T8158] start_kernel+0x816/0x84f [ 60.401848][ T8158] x86_64_start_reservations+0x29/0x2b [ 60.409280][ T8158] x86_64_start_kernel+0x77/0x7b [ 60.416194][ T8158] secondary_startup_64+0xa4/0xb0 [ 60.423184][ T8158] INITIAL USE at: [ 60.427231][ T8158] lock_acquire+0x16f/0x3f0 [ 60.433620][ T8158] _raw_spin_lock_irq+0x60/0x80 [ 60.440372][ T8158] io_submit_one+0xaec/0x2f90 [ 60.446934][ T8158] __x64_sys_io_submit+0x1bd/0x580 [ 60.453932][ T8158] do_syscall_64+0x103/0x610 [ 60.460409][ T8158] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.468180][ T8158] } [ 60.470834][ T8158] ... key at: [] __key.52649+0x0/0x40 [ 60.478430][ T8158] ... acquired at: [ 60.482406][ T8158] lock_acquire+0x16f/0x3f0 [ 60.487076][ T8158] _raw_spin_lock+0x2f/0x40 [ 60.491730][ T8158] io_submit_one+0xb31/0x2f90 [ 60.496555][ T8158] __x64_sys_io_submit+0x1bd/0x580 [ 60.501816][ T8158] do_syscall_64+0x103/0x610 [ 60.506574][ T8158] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.512622][ T8158] [ 60.514943][ T8158] -> (&ctx->fd_wqh){....} { [ 60.519509][ T8158] INITIAL USE at: [ 60.523490][ T8158] lock_acquire+0x16f/0x3f0 [ 60.529708][ T8158] _raw_spin_lock_irq+0x60/0x80 [ 60.536273][ T8158] userfaultfd_read+0x27a/0x1940 [ 60.542931][ T8158] __vfs_read+0x8d/0x110 [ 60.548900][ T8158] vfs_read+0x194/0x3e0 [ 60.554770][ T8158] ksys_read+0xea/0x1f0 [ 60.560658][ T8158] __x64_sys_read+0x73/0xb0 [ 60.566885][ T8158] do_syscall_64+0x103/0x610 [ 60.573218][ T8158] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.580839][ T8158] } [ 60.583422][ T8158] ... key at: [] __key.45459+0x0/0x40 [ 60.590934][ T8158] ... acquired at: [ 60.594843][ T8158] lock_acquire+0x16f/0x3f0 [ 60.599504][ T8158] _raw_spin_lock+0x2f/0x40 [ 60.604154][ T8158] userfaultfd_read+0x540/0x1940 [ 60.609240][ T8158] __vfs_read+0x8d/0x110 [ 60.613634][ T8158] vfs_read+0x194/0x3e0 [ 60.617941][ T8158] ksys_read+0xea/0x1f0 [ 60.622245][ T8158] __x64_sys_read+0x73/0xb0 [ 60.626912][ T8158] do_syscall_64+0x103/0x610 [ 60.631738][ T8158] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.637769][ T8158] [ 60.640067][ T8158] -> (&ctx->fault_pending_wqh){+.+.} { [ 60.645497][ T8158] HARDIRQ-ON-W at: [ 60.649456][ T8158] lock_acquire+0x16f/0x3f0 [ 60.655579][ T8158] _raw_spin_lock+0x2f/0x40 [ 60.661710][ T8158] userfaultfd_release+0x48e/0x6d0 [ 60.668454][ T8158] __fput+0x2e5/0x8d0 [ 60.674056][ T8158] ____fput+0x16/0x20 [ 60.679663][ T8158] task_work_run+0x14a/0x1c0 [ 60.685880][ T8158] do_exit+0x90a/0x2fa0 [ 60.691660][ T8158] do_group_exit+0x135/0x370 [ 60.697881][ T8158] get_signal+0x399/0x1d50 [ 60.703922][ T8158] do_signal+0x87/0x1940 [ 60.709788][ T8158] exit_to_usermode_loop+0x244/0x2c0 [ 60.716716][ T8158] do_syscall_64+0x52d/0x610 [ 60.722931][ T8158] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.730440][ T8158] SOFTIRQ-ON-W at: [ 60.734399][ T8158] lock_acquire+0x16f/0x3f0 [ 60.740525][ T8158] _raw_spin_lock+0x2f/0x40 [ 60.746654][ T8158] userfaultfd_release+0x48e/0x6d0 [ 60.753393][ T8158] __fput+0x2e5/0x8d0 [ 60.758997][ T8158] ____fput+0x16/0x20 [ 60.764615][ T8158] task_work_run+0x14a/0x1c0 [ 60.770843][ T8158] do_exit+0x90a/0x2fa0 [ 60.776626][ T8158] do_group_exit+0x135/0x370 [ 60.782841][ T8158] get_signal+0x399/0x1d50 [ 60.788885][ T8158] do_signal+0x87/0x1940 [ 60.794752][ T8158] exit_to_usermode_loop+0x244/0x2c0 [ 60.801660][ T8158] do_syscall_64+0x52d/0x610 [ 60.807886][ T8158] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.816085][ T8158] INITIAL USE at: [ 60.819965][ T8158] lock_acquire+0x16f/0x3f0 [ 60.826003][ T8158] _raw_spin_lock+0x2f/0x40 [ 60.832041][ T8158] userfaultfd_read+0x540/0x1940 [ 60.838518][ T8158] __vfs_read+0x8d/0x110 [ 60.844315][ T8158] vfs_read+0x194/0x3e0 [ 60.850016][ T8158] ksys_read+0xea/0x1f0 [ 60.855711][ T8158] __x64_sys_read+0x73/0xb0 [ 60.861755][ T8158] do_syscall_64+0x103/0x610 [ 60.867888][ T8158] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.875311][ T8158] } [ 60.877795][ T8158] ... key at: [] __key.45456+0x0/0x40 [ 60.885218][ T8158] ... acquired at: [ 60.889002][ T8158] mark_lock+0x427/0x1380 [ 60.893492][ T8158] __lock_acquire+0x1317/0x3fb0 [ 60.898488][ T8158] lock_acquire+0x16f/0x3f0 [ 60.903139][ T8158] _raw_spin_lock+0x2f/0x40 [ 60.907790][ T8158] userfaultfd_release+0x48e/0x6d0 [ 60.913061][ T8158] __fput+0x2e5/0x8d0 [ 60.917190][ T8158] ____fput+0x16/0x20 [ 60.921316][ T8158] task_work_run+0x14a/0x1c0 [ 60.926053][ T8158] do_exit+0x90a/0x2fa0 [ 60.930370][ T8158] do_group_exit+0x135/0x370 [ 60.935117][ T8158] get_signal+0x399/0x1d50 [ 60.939689][ T8158] do_signal+0x87/0x1940 [ 60.944082][ T8158] exit_to_usermode_loop+0x244/0x2c0 [ 60.949512][ T8158] do_syscall_64+0x52d/0x610 [ 60.954252][ T8158] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.960282][ T8158] [ 60.962597][ T8158] [ 60.962597][ T8158] stack backtrace: [ 60.968464][ T8158] CPU: 0 PID: 8158 Comm: syz-executor293 Not tainted 5.1.0-rc3+ #48 [ 60.976410][ T8158] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.986453][ T8158] Call Trace: [ 60.989737][ T8158] dump_stack+0x172/0x1f0 [ 60.994046][ T8158] print_irq_inversion_bug.part.0+0x2c0/0x2cd [ 61.000088][ T8158] check_usage_backwards.cold+0x1d/0x26 [ 61.005609][ T8158] ? print_shortest_lock_dependencies+0x90/0x90 [ 61.011828][ T8158] ? save_stack_trace+0x1a/0x20 [ 61.016657][ T8158] mark_lock+0x427/0x1380 [ 61.020980][ T8158] ? print_shortest_lock_dependencies+0x90/0x90 [ 61.027195][ T8158] __lock_acquire+0x1317/0x3fb0 [ 61.032022][ T8158] ? trace_hardirqs_off+0x62/0x220 [ 61.037115][ T8158] ? kasan_check_read+0x11/0x20 [ 61.041964][ T8158] ? mark_held_locks+0xf0/0xf0 [ 61.046716][ T8158] ? save_stack+0xa9/0xd0 [ 61.051020][ T8158] ? save_stack+0x45/0xd0 [ 61.055323][ T8158] ? __kasan_slab_free+0x102/0x150 [ 61.060421][ T8158] ? kasan_slab_free+0xe/0x10 [ 61.065086][ T8158] ? kmem_cache_free+0x86/0x260 [ 61.069927][ T8158] ? free_fs_struct+0x4f/0x70 [ 61.074575][ T8158] ? exit_fs+0xf0/0x130 [ 61.078706][ T8158] lock_acquire+0x16f/0x3f0 [ 61.083199][ T8158] ? userfaultfd_release+0x48e/0x6d0 [ 61.088460][ T8158] _raw_spin_lock+0x2f/0x40 [ 61.092939][ T8158] ? userfaultfd_release+0x48e/0x6d0 [ 61.098243][ T8158] userfaultfd_release+0x48e/0x6d0 [ 61.103333][ T8158] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 61.109115][ T8158] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 61.115354][ T8158] ? ima_file_free+0xc9/0x4a0 [ 61.120010][ T8158] ? __might_sleep+0x95/0x190 [ 61.124663][ T8158] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 61.130439][ T8158] __fput+0x2e5/0x8d0 [ 61.134410][ T8158] ____fput+0x16/0x20 [ 61.138365][ T8158] task_work_run+0x14a/0x1c0 [ 61.142929][ T8158] do_exit+0x90a/0x2fa0 [ 61.147074][ T8158] ? get_signal+0x331/0x1d50 [ 61.151641][ T8158] ? mm_update_next_owner+0x640/0x640 [ 61.156989][ T8158] ? kasan_check_write+0x14/0x20 [ 61.161903][ T8158] ? _raw_spin_unlock_irq+0x28/0x90 [ 61.167073][ T8158] ? get_signal+0x331/0x1d50 [ 61.171636][ T8158] ? _raw_spin_unlock_irq+0x28/0x90 [ 61.176822][ T8158] do_group_exit+0x135/0x370 [ 61.181401][ T8158] get_signal+0x399/0x1d50 [ 61.185794][ T8158] ? __x64_sys_io_submit+0x31f/0x580 [ 61.191057][ T8158] do_signal+0x87/0x1940 [ 61.195287][ T8158] ? lock_downgrade+0x880/0x880 [ 61.200110][ T8158] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 61.206327][ T8158] ? kasan_check_read+0x11/0x20 [ 61.211155][ T8158] ? setup_sigcontext+0x7d0/0x7d0 [ 61.216157][ T8158] ? exit_to_usermode_loop+0x43/0x2c0 [ 61.221499][ T8158] ? do_syscall_64+0x52d/0x610 [ 61.226236][ T8158] ? exit_to_usermode_loop+0x43/0x2c0 [ 61.231583][ T8158] ? lockdep_hardirqs_on+0x418/0x5d0 [ 61.236841][ T8158] ? trace_hardirqs_on+0x67/0x230 [ 61.241841][ T8158] exit_to_usermode_loop+0x244/0x2c0 [ 61.247100][ T8158] do_syscall_64+0x52d/0x610 [ 61.251666][ T8158] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 61.257530][ T8158] RIP: 0033:0x4458d9 [ 61.261407][ T8158] Code: Bad RIP value. [ 61.265444][ T8158] RSP: 002b:00007f8ea0a77db8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 61.273882][ T8158] RAX: fffffffffffffe00 RBX: 00000000006dac58 RCX: 00000000004458d9 [ 61.281829][ T8158] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dac58 [ 61.289775][ T8158] RBP: 00000000006dac50 R08: 0000000000000000 R09: 0000000000000000 [ 61.297747][ T8158] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac5c [ 61.305696][ T8158] R13: 00007ffc0cc2938f R14: 00007f8ea0a789c0 R15: 20