[ 40.628872] audit: type=1800 audit(1560141003.186:32): pid=7535 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2450 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 45.735816] kauditd_printk_skb: 2 callbacks suppressed [ 45.735831] audit: type=1400 audit(1560141008.406:35): avc: denied { map } for pid=7709 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.60' (ECDSA) to the list of known hosts. [ 52.465636] audit: type=1400 audit(1560141015.136:36): avc: denied { map } for pid=7721 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2019/06/10 04:30:15 parsed 1 programs [ 53.299540] audit: type=1400 audit(1560141015.966:37): avc: denied { map } for pid=7721 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=30 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 2019/06/10 04:30:17 executed programs: 0 [ 55.146025] IPVS: ftp: loaded support on port[0] = 21 [ 55.208562] chnl_net:caif_netlink_parms(): no params data found [ 55.240864] bridge0: port 1(bridge_slave_0) entered blocking state [ 55.248335] bridge0: port 1(bridge_slave_0) entered disabled state [ 55.255498] device bridge_slave_0 entered promiscuous mode [ 55.262454] bridge0: port 2(bridge_slave_1) entered blocking state [ 55.268975] bridge0: port 2(bridge_slave_1) entered disabled state [ 55.275928] device bridge_slave_1 entered promiscuous mode [ 55.291644] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 55.300890] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 55.318205] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 55.325761] team0: Port device team_slave_0 added [ 55.331104] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 55.338524] team0: Port device team_slave_1 added [ 55.343689] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 55.351112] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 55.406781] device hsr_slave_0 entered promiscuous mode [ 55.474619] device hsr_slave_1 entered promiscuous mode [ 55.534837] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 55.541716] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 55.556850] bridge0: port 2(bridge_slave_1) entered blocking state [ 55.563245] bridge0: port 2(bridge_slave_1) entered forwarding state [ 55.570151] bridge0: port 1(bridge_slave_0) entered blocking state [ 55.576540] bridge0: port 1(bridge_slave_0) entered forwarding state [ 55.608032] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 55.614108] 8021q: adding VLAN 0 to HW filter on device bond0 [ 55.623433] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 55.632326] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 55.651580] bridge0: port 1(bridge_slave_0) entered disabled state [ 55.658853] bridge0: port 2(bridge_slave_1) entered disabled state [ 55.666693] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 55.676954] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 55.683017] 8021q: adding VLAN 0 to HW filter on device team0 [ 55.692031] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 55.699766] bridge0: port 1(bridge_slave_0) entered blocking state [ 55.706276] bridge0: port 1(bridge_slave_0) entered forwarding state [ 55.716214] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 55.723807] bridge0: port 2(bridge_slave_1) entered blocking state [ 55.730200] bridge0: port 2(bridge_slave_1) entered forwarding state [ 55.745214] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 55.753323] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 55.763075] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 55.776535] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 55.786427] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 55.795720] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 55.801717] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 55.815062] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 55.825609] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 55.836031] audit: type=1400 audit(1560141018.506:38): avc: denied { associate } for pid=7737 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 2019/06/10 04:30:23 executed programs: 5 2019/06/10 04:30:28 executed programs: 11 [ 71.665398] [ 71.667048] ===================================================== [ 71.673255] WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected [ 71.679987] 4.19.49 #21 Not tainted [ 71.683591] ----------------------------------------------------- [ 71.689804] syz-executor.0/7825 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire: [ 71.697053] 000000007bb2b707 (&ctx->fd_wqh){....}, at: io_submit_one+0xef2/0x2eb0 [ 71.704683] [ 71.704683] and this task is already holding: [ 71.710641] 00000000e10ef4d2 (&(&ctx->ctx_lock)->rlock){..-.}, at: io_submit_one+0xead/0x2eb0 [ 71.719321] which would create a new lock dependency: [ 71.724489] (&(&ctx->ctx_lock)->rlock){..-.} -> (&ctx->fd_wqh){....} [ 71.731152] [ 71.731152] but this new dependency connects a SOFTIRQ-irq-safe lock: [ 71.739201] (&(&ctx->ctx_lock)->rlock){..-.} [ 71.739210] [ 71.739210] ... which became SOFTIRQ-irq-safe at: [ 71.749984] lock_acquire+0x16f/0x3f0 [ 71.753855] _raw_spin_lock_irq+0x60/0x80 [ 71.758070] free_ioctx_users+0x2d/0x490 [ 71.762203] percpu_ref_switch_to_atomic_rcu+0x407/0x540 [ 71.767729] rcu_process_callbacks+0xba0/0x1a30 [ 71.772468] __do_softirq+0x25c/0x921 [ 71.776345] irq_exit+0x180/0x1d0 [ 71.779924] smp_apic_timer_interrupt+0x13b/0x550 [ 71.784848] apic_timer_interrupt+0xf/0x20 [ 71.789200] native_safe_halt+0xe/0x10 [ 71.793165] arch_cpu_idle+0xa/0x10 [ 71.796869] default_idle_call+0x36/0x90 [ 71.800999] do_idle+0x377/0x560 [ 71.804489] cpu_startup_entry+0xc8/0xe0 [ 71.808624] rest_init+0xf1/0xf6 [ 71.812058] start_kernel+0x88c/0x8c5 [ 71.816047] x86_64_start_reservations+0x29/0x2b [ 71.820873] x86_64_start_kernel+0x77/0x7b [ 71.825185] secondary_startup_64+0xa4/0xb0 [ 71.829575] [ 71.829575] to a SOFTIRQ-irq-unsafe lock: [ 71.835178] (&ctx->fault_pending_wqh){+.+.} [ 71.835187] [ 71.835187] ... which became SOFTIRQ-irq-unsafe at: [ 71.846109] ... [ 71.846125] lock_acquire+0x16f/0x3f0 [ 71.851863] _raw_spin_lock+0x2f/0x40 [ 71.855738] userfaultfd_release+0x4d6/0x720 [ 71.860219] __fput+0x2dd/0x8b0 [ 71.863576] ____fput+0x16/0x20 [ 71.866941] task_work_run+0x145/0x1c0 [ 71.870905] get_signal+0x1baa/0x1fc0 [ 71.874778] do_signal+0x95/0x1960 [ 71.878393] exit_to_usermode_loop+0x244/0x2c0 [ 71.883043] do_syscall_64+0x53d/0x620 [ 71.887005] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 71.892259] [ 71.892259] other info that might help us debug this: [ 71.892259] [ 71.900430] Chain exists of: [ 71.900430] &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh [ 71.900430] [ 71.912567] Possible interrupt unsafe locking scenario: [ 71.912567] [ 71.919475] CPU0 CPU1 [ 71.924122] ---- ---- [ 71.928888] lock(&ctx->fault_pending_wqh); [ 71.933296] local_irq_disable(); [ 71.939332] lock(&(&ctx->ctx_lock)->rlock); [ 71.946325] lock(&ctx->fd_wqh); [ 71.952277] [ 71.955012] lock(&(&ctx->ctx_lock)->rlock); [ 71.959660] [ 71.959660] *** DEADLOCK *** [ 71.959660] [ 71.965712] 1 lock held by syz-executor.0/7825: [ 71.970357] #0: 00000000e10ef4d2 (&(&ctx->ctx_lock)->rlock){..-.}, at: io_submit_one+0xead/0x2eb0 [ 71.979999] [ 71.979999] the dependencies between SOFTIRQ-irq-safe lock and the holding lock: [ 71.989029] -> (&(&ctx->ctx_lock)->rlock){..-.} ops: 17 { [ 71.994558] IN-SOFTIRQ-W at: [ 71.997824] lock_acquire+0x16f/0x3f0 [ 72.003263] _raw_spin_lock_irq+0x60/0x80 [ 72.009049] free_ioctx_users+0x2d/0x490 [ 72.014782] percpu_ref_switch_to_atomic_rcu+0x407/0x540 [ 72.021886] rcu_process_callbacks+0xba0/0x1a30 [ 72.028195] __do_softirq+0x25c/0x921 [ 72.033640] irq_exit+0x180/0x1d0 [ 72.038737] smp_apic_timer_interrupt+0x13b/0x550 [ 72.045215] apic_timer_interrupt+0xf/0x20 [ 72.051084] native_safe_halt+0xe/0x10 [ 72.056672] arch_cpu_idle+0xa/0x10 [ 72.061943] default_idle_call+0x36/0x90 [ 72.067638] do_idle+0x377/0x560 [ 72.072637] cpu_startup_entry+0xc8/0xe0 [ 72.078379] rest_init+0xf1/0xf6 [ 72.083383] start_kernel+0x88c/0x8c5 [ 72.088817] x86_64_start_reservations+0x29/0x2b [ 72.095208] x86_64_start_kernel+0x77/0x7b [ 72.101079] secondary_startup_64+0xa4/0xb0 [ 72.107028] INITIAL USE at: [ 72.110210] lock_acquire+0x16f/0x3f0 [ 72.115561] _raw_spin_lock_irq+0x60/0x80 [ 72.121256] free_ioctx_users+0x2d/0x490 [ 72.126867] percpu_ref_switch_to_atomic_rcu+0x407/0x540 [ 72.133930] rcu_process_callbacks+0xba0/0x1a30 [ 72.140154] __do_softirq+0x25c/0x921 [ 72.145500] irq_exit+0x180/0x1d0 [ 72.150597] smp_apic_timer_interrupt+0x13b/0x550 [ 72.156988] apic_timer_interrupt+0xf/0x20 [ 72.162781] native_safe_halt+0xe/0x10 [ 72.168217] arch_cpu_idle+0xa/0x10 [ 72.173449] default_idle_call+0x36/0x90 [ 72.179067] do_idle+0x377/0x560 [ 72.183983] cpu_startup_entry+0xc8/0xe0 [ 72.189591] rest_init+0xf1/0xf6 [ 72.194504] start_kernel+0x88c/0x8c5 [ 72.199850] x86_64_start_reservations+0x29/0x2b [ 72.206150] x86_64_start_kernel+0x77/0x7b [ 72.212041] secondary_startup_64+0xa4/0xb0 [ 72.217904] } [ 72.219707] ... key at: [] __key.50188+0x0/0x40 [ 72.226438] ... acquired at: [ 72.229537] lock_acquire+0x16f/0x3f0 [ 72.233495] _raw_spin_lock+0x2f/0x40 [ 72.237454] io_submit_one+0xef2/0x2eb0 [ 72.241834] __x64_sys_io_submit+0x1aa/0x520 [ 72.246401] do_syscall_64+0xfd/0x620 [ 72.250362] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 72.255711] [ 72.257316] [ 72.257316] the dependencies between the lock to be acquired [ 72.257320] and SOFTIRQ-irq-unsafe lock: [ 72.268696] -> (&ctx->fault_pending_wqh){+.+.} ops: 98 { [ 72.274370] HARDIRQ-ON-W at: [ 72.277735] lock_acquire+0x16f/0x3f0 [ 72.283346] _raw_spin_lock+0x2f/0x40 [ 72.288961] userfaultfd_release+0x4d6/0x720 [ 72.295191] __fput+0x2dd/0x8b0 [ 72.300275] ____fput+0x16/0x20 [ 72.305363] task_work_run+0x145/0x1c0 [ 72.311060] get_signal+0x1baa/0x1fc0 [ 72.316669] do_signal+0x95/0x1960 [ 72.322017] exit_to_usermode_loop+0x244/0x2c0 [ 72.328449] do_syscall_64+0x53d/0x620 [ 72.334157] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 72.341246] SOFTIRQ-ON-W at: [ 72.344612] lock_acquire+0x16f/0x3f0 [ 72.350229] _raw_spin_lock+0x2f/0x40 [ 72.355838] userfaultfd_release+0x4d6/0x720 [ 72.362055] __fput+0x2dd/0x8b0 [ 72.367263] ____fput+0x16/0x20 [ 72.372352] task_work_run+0x145/0x1c0 [ 72.378046] get_signal+0x1baa/0x1fc0 [ 72.383724] do_signal+0x95/0x1960 [ 72.389095] exit_to_usermode_loop+0x244/0x2c0 [ 72.395488] do_syscall_64+0x53d/0x620 [ 72.401185] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 72.408180] INITIAL USE at: [ 72.411451] lock_acquire+0x16f/0x3f0 [ 72.416972] _raw_spin_lock+0x2f/0x40 [ 72.422496] userfaultfd_read+0x394/0x18c0 [ 72.428447] __vfs_read+0x114/0x800 [ 72.433789] vfs_read+0x194/0x3d0 [ 72.438959] ksys_read+0x14f/0x2d0 [ 72.444344] __x64_sys_read+0x73/0xb0 [ 72.449895] do_syscall_64+0xfd/0x620 [ 72.455424] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 72.462328] } [ 72.464203] ... key at: [] __key.43722+0x0/0x40 [ 72.471018] ... acquired at: [ 72.474194] _raw_spin_lock+0x2f/0x40 [ 72.478150] userfaultfd_read+0x394/0x18c0 [ 72.482540] __vfs_read+0x114/0x800 [ 72.486327] vfs_read+0x194/0x3d0 [ 72.489935] ksys_read+0x14f/0x2d0 [ 72.493628] __x64_sys_read+0x73/0xb0 [ 72.497585] do_syscall_64+0xfd/0x620 [ 72.501554] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 72.506927] [ 72.508535] -> (&ctx->fd_wqh){....} ops: 100 { [ 72.513144] INITIAL USE at: [ 72.516328] lock_acquire+0x16f/0x3f0 [ 72.521677] _raw_spin_lock_irq+0x60/0x80 [ 72.527381] userfaultfd_read+0x262/0x18c0 [ 72.533252] __vfs_read+0x114/0x800 [ 72.538427] vfs_read+0x194/0x3d0 [ 72.543440] ksys_read+0x14f/0x2d0 [ 72.548541] __x64_sys_read+0x73/0xb0 [ 72.553887] do_syscall_64+0xfd/0x620 [ 72.559235] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 72.565966] } [ 72.567756] ... key at: [] __key.43725+0x0/0x40 [ 72.574482] ... acquired at: [ 72.577575] lock_acquire+0x16f/0x3f0 [ 72.581541] _raw_spin_lock+0x2f/0x40 [ 72.585497] io_submit_one+0xef2/0x2eb0 [ 72.589627] __x64_sys_io_submit+0x1aa/0x520 [ 72.594264] do_syscall_64+0xfd/0x620 [ 72.598307] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 72.603653] [ 72.605257] [ 72.605257] stack backtrace: [ 72.609738] CPU: 0 PID: 7825 Comm: syz-executor.0 Not tainted 4.19.49 #21 [ 72.616679] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 72.626192] Call Trace: [ 72.628770] dump_stack+0x172/0x1f0 [ 72.632385] check_usage.cold+0x611/0x946 [ 72.636522] ? check_usage_forwards+0x340/0x340 [ 72.641181] ? unwind_get_return_address+0x61/0xa0 [ 72.646100] ? check_noncircular+0x20/0x20 [ 72.650323] __lock_acquire+0x1ee4/0x48f0 [ 72.654464] ? __lock_acquire+0x1ee4/0x48f0 [ 72.658770] ? mark_held_locks+0x100/0x100 [ 72.662995] ? __debug_object_init+0x190/0xc30 [ 72.667563] ? mark_held_locks+0x100/0x100 [ 72.671845] ? add_wait_queue+0x112/0x170 [ 72.675984] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 72.681073] ? add_wait_queue+0x112/0x170 [ 72.685247] ? lockdep_hardirqs_on+0x415/0x5d0 [ 72.689826] ? trace_hardirqs_on+0x67/0x220 [ 72.694133] ? kasan_check_read+0x11/0x20 [ 72.698267] lock_acquire+0x16f/0x3f0 [ 72.702335] ? io_submit_one+0xef2/0x2eb0 [ 72.706478] _raw_spin_lock+0x2f/0x40 [ 72.710271] ? io_submit_one+0xef2/0x2eb0 [ 72.714404] io_submit_one+0xef2/0x2eb0 [ 72.718362] ? ioctx_alloc+0x1db0/0x1db0 [ 72.722410] ? __might_fault+0x12b/0x1e0 [ 72.726457] ? aio_setup_rw+0x180/0x180 [ 72.730422] __x64_sys_io_submit+0x1aa/0x520 [ 72.734815] ? __x64_sys_io_submit+0x1aa/0x520 [ 72.739383] ? __ia32_sys_io_destroy+0x420/0x420 [ 72.744129] ? do_syscall_64+0x26/0x620 [ 72.748087] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 72.753477] ? do_syscall_64+0x26/0x620 [ 72.757445] ? lockdep_hardirqs_on+0x415/0x5d0 [ 72.762056] do_syscall_64+0xfd/0x620 [ 72.765850] ? do_syscall_64+0xfd/0x620 [ 72.769819] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 72.774990] RIP: 0033:0x459279 [ 72.778175] Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 72.797236] RSP: 002b:00007f40d2400c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000d1 [ 72.804929] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459279 [ 72.812182] RDX: 0000000020000600 RSI: 0000000000000001 RDI: 00007f40d2402000 [ 72.819436] RBP: 000000000075bfc0 R08: 0000000000000000 R09: 0000000000000000 [ 72.826703] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f40d24016d4 [ 72.833998] R13: 00000000004c05dd R14: 00000000004d2f88 R15: 00000000ffffffff 2019/06/10 04:30:35 executed programs: 17 [ 72.906996] kobject: 'loop0' (000000004bf9af88): kobject_uevent_env [ 72.913453] kobject: 'loop0' (000000004bf9af88): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 73.858679] kobject: 'loop0' (000000004bf9af88): kobject_uevent_env [ 73.865229] kobject: 'loop0' (000000004bf9af88): fill_kobj_path: path = '/devices/virtual/block/loop0'