Warning: Permanently added '10.128.0.202' (ECDSA) to the list of known hosts. [ 53.681592] audit: type=1400 audit(1561819888.356:36): avc: denied { map } for pid=7920 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2019/06/29 14:51:29 parsed 1 programs [ 54.523651] audit: type=1400 audit(1561819889.196:37): avc: denied { map } for pid=7920 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=14971 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 2019/06/29 14:51:31 executed programs: 0 [ 56.563355] IPVS: ftp: loaded support on port[0] = 21 [ 56.626289] chnl_net:caif_netlink_parms(): no params data found [ 56.660112] bridge0: port 1(bridge_slave_0) entered blocking state [ 56.666971] bridge0: port 1(bridge_slave_0) entered disabled state [ 56.674777] device bridge_slave_0 entered promiscuous mode [ 56.682182] bridge0: port 2(bridge_slave_1) entered blocking state [ 56.688736] bridge0: port 2(bridge_slave_1) entered disabled state [ 56.696344] device bridge_slave_1 entered promiscuous mode [ 56.712288] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 56.721738] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 56.738696] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 56.746505] team0: Port device team_slave_0 added [ 56.751954] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 56.759446] team0: Port device team_slave_1 added [ 56.764804] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 56.772050] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 56.855578] device hsr_slave_0 entered promiscuous mode [ 56.914004] device hsr_slave_1 entered promiscuous mode [ 56.954137] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 56.961065] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 56.974759] bridge0: port 2(bridge_slave_1) entered blocking state [ 56.981156] bridge0: port 2(bridge_slave_1) entered forwarding state [ 56.988088] bridge0: port 1(bridge_slave_0) entered blocking state [ 56.994465] bridge0: port 1(bridge_slave_0) entered forwarding state [ 57.027700] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 57.035958] 8021q: adding VLAN 0 to HW filter on device bond0 [ 57.044814] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 57.053268] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 57.073004] bridge0: port 1(bridge_slave_0) entered disabled state [ 57.080344] bridge0: port 2(bridge_slave_1) entered disabled state [ 57.088921] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 57.098668] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 57.105160] 8021q: adding VLAN 0 to HW filter on device team0 [ 57.114516] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 57.122265] bridge0: port 1(bridge_slave_0) entered blocking state [ 57.128672] bridge0: port 1(bridge_slave_0) entered forwarding state [ 57.137944] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 57.146367] bridge0: port 2(bridge_slave_1) entered blocking state [ 57.152713] bridge0: port 2(bridge_slave_1) entered forwarding state [ 57.168339] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 57.184729] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 57.194625] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 57.205178] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 57.212379] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 57.221491] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 57.229443] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 57.237379] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 57.245279] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 57.257063] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 57.267896] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 57.279022] audit: type=1400 audit(1561819891.956:38): avc: denied { associate } for pid=7937 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 2019/06/29 14:51:36 executed programs: 5 2019/06/29 14:51:42 executed programs: 11 [ 68.404091] [ 68.405753] ===================================================== [ 68.411966] WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected [ 68.418790] 4.19.56 #28 Not tainted [ 68.422393] ----------------------------------------------------- [ 68.428609] syz-executor.0/8001 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire: [ 68.435873] 00000000b92d84ad (&ctx->fd_wqh){....}, at: io_submit_one+0xef2/0x2eb0 [ 68.443493] [ 68.443493] and this task is already holding: [ 68.449609] 00000000fb356317 (&(&ctx->ctx_lock)->rlock){..-.}, at: io_submit_one+0xead/0x2eb0 [ 68.458425] which would create a new lock dependency: [ 68.463597] (&(&ctx->ctx_lock)->rlock){..-.} -> (&ctx->fd_wqh){....} [ 68.470181] [ 68.470181] but this new dependency connects a SOFTIRQ-irq-safe lock: [ 68.478222] (&(&ctx->ctx_lock)->rlock){..-.} [ 68.478232] [ 68.478232] ... which became SOFTIRQ-irq-safe at: [ 68.489167] lock_acquire+0x16f/0x3f0 [ 68.493051] _raw_spin_lock_irq+0x60/0x80 [ 68.497274] free_ioctx_users+0x2d/0x490 [ 68.501484] percpu_ref_switch_to_atomic_rcu+0x407/0x540 [ 68.507225] rcu_process_callbacks+0xba0/0x1a30 [ 68.512194] __do_softirq+0x25c/0x921 [ 68.516066] irq_exit+0x180/0x1d0 [ 68.519595] smp_apic_timer_interrupt+0x13b/0x550 [ 68.524510] apic_timer_interrupt+0xf/0x20 [ 68.528816] native_safe_halt+0xe/0x10 [ 68.532775] arch_cpu_idle+0xa/0x10 [ 68.536488] default_idle_call+0x36/0x90 [ 68.540634] do_idle+0x377/0x560 [ 68.544196] cpu_startup_entry+0xc8/0xe0 [ 68.548529] rest_init+0xf1/0xf6 [ 68.551971] start_kernel+0x88c/0x8c5 [ 68.555845] x86_64_start_reservations+0x29/0x2b [ 68.560751] x86_64_start_kernel+0x77/0x7b [ 68.565068] secondary_startup_64+0xa4/0xb0 [ 68.569458] [ 68.569458] to a SOFTIRQ-irq-unsafe lock: [ 68.575161] (&ctx->fault_pending_wqh){+.+.} [ 68.575171] [ 68.575171] ... which became SOFTIRQ-irq-unsafe at: [ 68.586246] ... [ 68.586267] lock_acquire+0x16f/0x3f0 [ 68.592040] _raw_spin_lock+0x2f/0x40 [ 68.595921] userfaultfd_release+0x4d6/0x720 [ 68.600449] __fput+0x2dd/0x8b0 [ 68.604222] ____fput+0x16/0x20 [ 68.607581] task_work_run+0x145/0x1c0 [ 68.611556] get_signal+0x1baa/0x1fc0 [ 68.615432] do_signal+0x95/0x1960 [ 68.619048] exit_to_usermode_loop+0x244/0x2c0 [ 68.623710] do_syscall_64+0x53d/0x620 [ 68.627898] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 68.633284] [ 68.633284] other info that might help us debug this: [ 68.633284] [ 68.641520] Chain exists of: [ 68.641520] &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh [ 68.641520] [ 68.653821] Possible interrupt unsafe locking scenario: [ 68.653821] [ 68.660759] CPU0 CPU1 [ 68.665414] ---- ---- [ 68.670136] lock(&ctx->fault_pending_wqh); [ 68.674549] local_irq_disable(); [ 68.680594] lock(&(&ctx->ctx_lock)->rlock); [ 68.687858] lock(&ctx->fd_wqh); [ 68.693915] [ 68.696781] lock(&(&ctx->ctx_lock)->rlock); [ 68.701619] [ 68.701619] *** DEADLOCK *** [ 68.701619] [ 68.707680] 1 lock held by syz-executor.0/8001: [ 68.712341] #0: 00000000fb356317 (&(&ctx->ctx_lock)->rlock){..-.}, at: io_submit_one+0xead/0x2eb0 [ 68.721524] [ 68.721524] the dependencies between SOFTIRQ-irq-safe lock and the holding lock: [ 68.730714] -> (&(&ctx->ctx_lock)->rlock){..-.} ops: 12 { [ 68.736302] IN-SOFTIRQ-W at: [ 68.739648] lock_acquire+0x16f/0x3f0 [ 68.745507] _raw_spin_lock_irq+0x60/0x80 [ 68.751446] free_ioctx_users+0x2d/0x490 [ 68.757408] percpu_ref_switch_to_atomic_rcu+0x407/0x540 [ 68.764544] rcu_process_callbacks+0xba0/0x1a30 [ 68.770939] __do_softirq+0x25c/0x921 [ 68.776389] irq_exit+0x180/0x1d0 [ 68.781483] smp_apic_timer_interrupt+0x13b/0x550 [ 68.787965] apic_timer_interrupt+0xf/0x20 [ 68.794126] native_safe_halt+0xe/0x10 [ 68.799742] arch_cpu_idle+0xa/0x10 [ 68.805118] default_idle_call+0x36/0x90 [ 68.810890] do_idle+0x377/0x560 [ 68.815904] cpu_startup_entry+0xc8/0xe0 [ 68.821618] rest_init+0xf1/0xf6 [ 68.826696] start_kernel+0x88c/0x8c5 [ 68.832157] x86_64_start_reservations+0x29/0x2b [ 68.838611] x86_64_start_kernel+0x77/0x7b [ 68.844491] secondary_startup_64+0xa4/0xb0 [ 68.850487] INITIAL USE at: [ 68.853798] lock_acquire+0x16f/0x3f0 [ 68.859238] _raw_spin_lock_irq+0x60/0x80 [ 68.864939] free_ioctx_users+0x2d/0x490 [ 68.870555] percpu_ref_switch_to_atomic_rcu+0x407/0x540 [ 68.877658] rcu_process_callbacks+0xba0/0x1a30 [ 68.883881] __do_softirq+0x25c/0x921 [ 68.889227] irq_exit+0x180/0x1d0 [ 68.894223] smp_apic_timer_interrupt+0x13b/0x550 [ 68.900619] apic_timer_interrupt+0xf/0x20 [ 68.906445] native_safe_halt+0xe/0x10 [ 68.911925] arch_cpu_idle+0xa/0x10 [ 68.917108] default_idle_call+0x36/0x90 [ 68.922830] do_idle+0x377/0x560 [ 68.927756] cpu_startup_entry+0xc8/0xe0 [ 68.933378] rest_init+0xf1/0xf6 [ 68.938334] start_kernel+0x88c/0x8c5 [ 68.943699] x86_64_start_reservations+0x29/0x2b [ 68.950022] x86_64_start_kernel+0x77/0x7b [ 68.955930] secondary_startup_64+0xa4/0xb0 [ 68.962206] } [ 68.963998] ... key at: [] __key.50193+0x0/0x40 [ 68.970736] ... acquired at: [ 68.973874] lock_acquire+0x16f/0x3f0 [ 68.977840] _raw_spin_lock+0x2f/0x40 [ 68.981809] io_submit_one+0xef2/0x2eb0 [ 68.986668] __x64_sys_io_submit+0x1aa/0x520 [ 68.991233] do_syscall_64+0xfd/0x620 [ 68.995187] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 69.000527] [ 69.002136] [ 69.002136] the dependencies between the lock to be acquired [ 69.002140] and SOFTIRQ-irq-unsafe lock: [ 69.013619] -> (&ctx->fault_pending_wqh){+.+.} ops: 67 { [ 69.019169] HARDIRQ-ON-W at: [ 69.022533] lock_acquire+0x16f/0x3f0 [ 69.028290] _raw_spin_lock+0x2f/0x40 [ 69.033906] userfaultfd_release+0x4d6/0x720 [ 69.040269] __fput+0x2dd/0x8b0 [ 69.045363] ____fput+0x16/0x20 [ 69.050468] task_work_run+0x145/0x1c0 [ 69.056171] get_signal+0x1baa/0x1fc0 [ 69.061825] do_signal+0x95/0x1960 [ 69.067192] exit_to_usermode_loop+0x244/0x2c0 [ 69.073641] do_syscall_64+0x53d/0x620 [ 69.079449] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 69.086488] SOFTIRQ-ON-W at: [ 69.089889] lock_acquire+0x16f/0x3f0 [ 69.095504] _raw_spin_lock+0x2f/0x40 [ 69.101123] userfaultfd_release+0x4d6/0x720 [ 69.107540] __fput+0x2dd/0x8b0 [ 69.112672] ____fput+0x16/0x20 [ 69.118037] task_work_run+0x145/0x1c0 [ 69.123843] get_signal+0x1baa/0x1fc0 [ 69.129579] do_signal+0x95/0x1960 [ 69.134934] exit_to_usermode_loop+0x244/0x2c0 [ 69.141439] do_syscall_64+0x53d/0x620 [ 69.147155] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 69.154171] INITIAL USE at: [ 69.157455] lock_acquire+0x16f/0x3f0 [ 69.162985] _raw_spin_lock+0x2f/0x40 [ 69.168694] userfaultfd_read+0x394/0x18c0 [ 69.174840] __vfs_read+0x114/0x800 [ 69.180193] vfs_read+0x194/0x3d0 [ 69.185552] ksys_read+0x14f/0x2d0 [ 69.190827] __x64_sys_read+0x73/0xb0 [ 69.196355] do_syscall_64+0xfd/0x620 [ 69.201885] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 69.208809] } [ 69.210781] ... key at: [] __key.43727+0x0/0x40 [ 69.217884] ... acquired at: [ 69.221074] _raw_spin_lock+0x2f/0x40 [ 69.225278] userfaultfd_read+0x394/0x18c0 [ 69.229672] __vfs_read+0x114/0x800 [ 69.233461] vfs_read+0x194/0x3d0 [ 69.237075] ksys_read+0x14f/0x2d0 [ 69.240854] __x64_sys_read+0x73/0xb0 [ 69.244813] do_syscall_64+0xfd/0x620 [ 69.248784] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 69.254147] [ 69.255844] -> (&ctx->fd_wqh){....} ops: 69 { [ 69.260331] INITIAL USE at: [ 69.263528] lock_acquire+0x16f/0x3f0 [ 69.268886] _raw_spin_lock_irq+0x60/0x80 [ 69.274597] userfaultfd_read+0x262/0x18c0 [ 69.280388] __vfs_read+0x114/0x800 [ 69.285567] vfs_read+0x194/0x3d0 [ 69.290651] ksys_read+0x14f/0x2d0 [ 69.295767] __x64_sys_read+0x73/0xb0 [ 69.301127] do_syscall_64+0xfd/0x620 [ 69.306529] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 69.313263] } [ 69.315060] ... key at: [] __key.43730+0x0/0x40 [ 69.321881] ... acquired at: [ 69.324976] lock_acquire+0x16f/0x3f0 [ 69.329005] _raw_spin_lock+0x2f/0x40 [ 69.333117] io_submit_one+0xef2/0x2eb0 [ 69.337320] __x64_sys_io_submit+0x1aa/0x520 [ 69.341906] do_syscall_64+0xfd/0x620 [ 69.345875] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 69.351220] [ 69.352837] [ 69.352837] stack backtrace: [ 69.357346] CPU: 1 PID: 8001 Comm: syz-executor.0 Not tainted 4.19.56 #28 [ 69.364349] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 69.373695] Call Trace: [ 69.376289] dump_stack+0x172/0x1f0 [ 69.379942] check_usage.cold+0x611/0x946 [ 69.384090] ? check_usage_forwards+0x340/0x340 [ 69.389104] ? unwind_get_return_address+0x61/0xa0 [ 69.394033] ? check_noncircular+0x20/0x20 [ 69.398284] ? check_noncircular+0x20/0x20 [ 69.402532] __lock_acquire+0x1ee4/0x48f0 [ 69.406776] ? __lock_acquire+0x1ee4/0x48f0 [ 69.411105] ? mark_held_locks+0x100/0x100 [ 69.415343] ? __debug_object_init+0x190/0xc30 [ 69.419946] ? mark_held_locks+0x100/0x100 [ 69.424184] ? add_wait_queue+0x112/0x170 [ 69.428334] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 69.433455] ? add_wait_queue+0x112/0x170 [ 69.437609] ? lockdep_hardirqs_on+0x415/0x5d0 [ 69.442198] ? trace_hardirqs_on+0x67/0x220 [ 69.446519] ? kasan_check_read+0x11/0x20 [ 69.450668] lock_acquire+0x16f/0x3f0 [ 69.454474] ? io_submit_one+0xef2/0x2eb0 [ 69.458627] _raw_spin_lock+0x2f/0x40 [ 69.462427] ? io_submit_one+0xef2/0x2eb0 [ 69.466574] io_submit_one+0xef2/0x2eb0 [ 69.470549] ? ioctx_alloc+0x1db0/0x1db0 [ 69.474604] ? __might_fault+0x12b/0x1e0 [ 69.478654] ? aio_setup_rw+0x180/0x180 [ 69.482626] __x64_sys_io_submit+0x1aa/0x520 [ 69.487034] ? __x64_sys_io_submit+0x1aa/0x520 [ 69.491780] ? __ia32_sys_io_destroy+0x420/0x420 [ 69.496599] ? do_syscall_64+0x26/0x620 [ 69.500636] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 69.506141] ? do_syscall_64+0x26/0x620 [ 69.510112] ? lockdep_hardirqs_on+0x415/0x5d0 [ 69.514693] do_syscall_64+0xfd/0x620 [ 69.518575] ? do_syscall_64+0xfd/0x620 [ 69.522588] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 69.527774] RIP: 0033:0x459519 [ 69.530976] Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 69.550274] RSP: 002b:00007fed61b6ac78 EFLAGS: 00000246 ORIG_RAX: 00000000000000d1 [ 69.558023] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459519 [ 69.565295] RDX: 0000000020000600 RSI: 0000000000000001 RDI: 00007fed61b6c000 [ 69.572567] RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 [ 69.579837] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fed61b6b6d4 [ 69.587100] R13: 00000000004c0898 R14: 00000000004d3548 R15: 00000000ffffffff [ 69.686232] kobject: 'loop0' (0000000000002172): kobject_uevent_env [ 69.692845] kobject: 'loop0' (0000000000002172): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 70.616041] kobject: 'loop0' (0000000000002172): kobject_uevent_env [ 70.622895] kobject: 'loop0' (0000000000002172): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 71.546543] kobject: 'loop0' (0000000000002172): kobject_uevent_env [ 71.553054] kobject: 'loop0' (0000000000002172): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 72.466532] kobject: 'loop0' (0000000000002172): kobject_uevent_env [ 72.473093] kobject: 'loop0' (0000000000002172): fill_kobj_path: path = '/devices/virtual/block/loop0' 2019/06/29 14:51:48 executed programs: 16 [ 73.397209] kobject: 'loop0' (0000000000002172): kobject_uevent_env [ 73.404164] kobject: 'loop0' (0000000000002172): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 74.326572] kobject: 'loop0' (0000000000002172): kobject_uevent_env [ 74.333307] kobject: 'loop0' (0000000000002172): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 75.256622] kobject: 'loop0' (0000000000002172): kobject_uevent_env [ 75.263102] kobject: 'loop0' (0000000000002172): fill_kobj_path: path = '/devices/virtual/block/loop0'