============================= WARNING: suspicious RCU usage 4.15.0-rc8+ #179 Not tainted ----------------------------- ./include/linux/rcupdate.h:302 Illegal context switch in RCU read-side critical section! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 0 4 locks held by syz-executor6/17183: #0: (&mm->mmap_sem){++++}, at: [<00000000228f7e19>] __do_page_fault+0x32d/0xc90 arch/x86/mm/fault.c:1359 #1: (&p->pi_lock){-.-.}, at: [<000000008c9e899d>] try_to_wake_up+0xbc/0x1600 kernel/sched/core.c:1988 #2: (&rq->lock){-.-.}, at: [<00000000bd8027de>] rq_lock kernel/sched/sched.h:1766 [inline] #2: (&rq->lock){-.-.}, at: [<00000000bd8027de>] ttwu_queue kernel/sched/core.c:1863 [inline] #2: (&rq->lock){-.-.}, at: [<00000000bd8027de>] try_to_wake_up+0xa29/0x1600 kernel/sched/core.c:2078 #3: (rcu_read_lock){....}, at: [<00000000b0df8609>] cpuacct_charge+0xcc/0x5c0 kernel/sched/cpuacct.c:355 stack backtrace: CPU: 0 PID: 17183 Comm: syz-executor6 Not tainted 4.15.0-rc8+ #179 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4585 rcu_preempt_sleep_check include/linux/rcupdate.h:301 [inline] ___might_sleep+0x385/0x470 kernel/sched/core.c:6025 clear_huge_page+0xa5/0x730 mm/memory.c:4577 __do_huge_pmd_anonymous_page mm/huge_memory.c:570 [inline] do_huge_pmd_anonymous_page+0x59c/0x1b00 mm/huge_memory.c:728 create_huge_pmd mm/memory.c:3834 [inline] __handle_mm_fault+0x1a0c/0x3ce0 mm/memory.c:4038 handle_mm_fault+0x334/0x8d0 mm/memory.c:4104 __do_page_fault+0x5c9/0xc90 arch/x86/mm/fault.c:1430 do_page_fault+0xee/0x720 arch/x86/mm/fault.c:1505 page_fault+0x4c/0x60 arch/x86/entry/entry_64.S:1260 RIP: 0023:0x804a881 RSP: 002b:000000000844f8e0 EFLAGS: 00010246 RAX: 0000000020c37000 RBX: 0000000000000000 RCX: 000000004c238220 RDX: 0000000000000000 RSI: 00000000000000aa RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 ============================================ WARNING: possible recursive locking detected 4.15.0-rc8+ #179 Not tainted -------------------------------------------- syz-executor3/17191 is trying to acquire lock: (&vq->mutex){+.+.}, at: [<000000000eb8a84b>] vhost_dev_lock_vqs drivers/vhost/vhost.c:907 [inline] (&vq->mutex){+.+.}, at: [<000000000eb8a84b>] vhost_process_iotlb_msg drivers/vhost/vhost.c:997 [inline] (&vq->mutex){+.+.}, at: [<000000000eb8a84b>] vhost_chr_write_iter+0x278/0x1580 drivers/vhost/vhost.c:1046 but task is already holding lock: (&vq->mutex){+.+.}, at: [<000000000eb8a84b>] vhost_dev_lock_vqs drivers/vhost/vhost.c:907 [inline] (&vq->mutex){+.+.}, at: [<000000000eb8a84b>] vhost_process_iotlb_msg drivers/vhost/vhost.c:997 [inline] (&vq->mutex){+.+.}, at: [<000000000eb8a84b>] vhost_chr_write_iter+0x278/0x1580 drivers/vhost/vhost.c:1046 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&vq->mutex); lock(&vq->mutex); *** DEADLOCK *** May be due to missing lock nesting notation 1 lock held by syz-executor3/17191: #0: (&vq->mutex){+.+.}, at: [<000000000eb8a84b>] vhost_dev_lock_vqs drivers/vhost/vhost.c:907 [inline] #0: (&vq->mutex){+.+.}, at: [<000000000eb8a84b>] vhost_process_iotlb_msg drivers/vhost/vhost.c:997 [inline] #0: (&vq->mutex){+.+.}, at: [<000000000eb8a84b>] vhost_chr_write_iter+0x278/0x1580 drivers/vhost/vhost.c:1046 stack backtrace: CPU: 1 PID: 17191 Comm: syz-executor3 Not tainted 4.15.0-rc8+ #179 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 print_deadlock_bug kernel/locking/lockdep.c:1756 [inline] check_deadlock kernel/locking/lockdep.c:1800 [inline] validate_chain kernel/locking/lockdep.c:2396 [inline] __lock_acquire+0xe8f/0x3e00 kernel/locking/lockdep.c:3426 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 vhost_dev_lock_vqs drivers/vhost/vhost.c:907 [inline] vhost_process_iotlb_msg drivers/vhost/vhost.c:997 [inline] vhost_chr_write_iter+0x278/0x1580 drivers/vhost/vhost.c:1046 vhost_net_chr_write_iter+0x59/0x70 drivers/vhost/net.c:1353 call_write_iter include/linux/fs.h:1772 [inline] new_sync_write fs/read_write.c:469 [inline] __vfs_write+0x684/0x970 fs/read_write.c:482 vfs_write+0x189/0x510 fs/read_write.c:544 SYSC_write fs/read_write.c:589 [inline] SyS_write+0xef/0x220 fs/read_write.c:581 do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline] do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389 entry_SYSENTER_compat+0x54/0x63 arch/x86/entry/entry_64_compat.S:129 RIP: 0023:0xf7f14c79 RSP: 002b:00000000f771008c EFLAGS: 00000296 ORIG_RAX: 0000000000000004 RAX: ffffffffffffffda RBX: 0000000000000013 RCX: 00000000208baf98 RDX: 0000000000000050 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=15 sclass=netlink_route_socket pig=17225 comm=syz-executor3 netlink: 'syz-executor7': attribute type 29 has an invalid length. netlink: 5 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 'syz-executor7': attribute type 29 has an invalid length. netlink: 5 bytes leftover after parsing attributes in process `syz-executor7'. RDS: rds_bind could not find a transport for 224.0.0.1, load rds_tcp or rds_rdma? SELinux: unrecognized netlink message: protocol=0 nlmsg_type=15 sclass=netlink_route_socket pig=17234 comm=syz-executor3 binder_alloc: binder_alloc_mmap_handler: 17423 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 17423:17427 ioctl 40046207 0 returned -16 binder_alloc: 17423: binder_alloc_buf, no vma binder: 17423:17427 transaction failed 29189/-3, size 40-8 line 2903 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 17423:17427 transaction 84 out, still active binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 84, target dead tmpfs: Bad mount option 3>í÷ýßLv:lwþȸÕ©dr¯$»h½íjÒ¬ƒŠ9Äõ|×ÛÎa tmpfs: Bad mount option 3>í÷ýßLv:lwþȸÕ©dr¯$»h½íjÒ¬ƒŠ9Äõ|×ÛÎa Option ' µ/Öa’C¯(êËBÉ;ÅZ¡8 o' to dns_resolver key: bad/missing value Option ' µ/Öa’C¯(êËBÉ;ÅZ¡8 o' to dns_resolver key: bad/missing value QAT: Device 2 not found QAT: Device 2 not found audit: type=1400 audit(1516434883.316:168): avc: denied { write } for pid=17936 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_crypto_socket permissive=1 binder_alloc: 17958: binder_alloc_buf failed to map page at 20000000 in userspace binder: 17958:17964 transaction failed 29201/-12, size 0-0 line 2903 binder: BINDER_SET_CONTEXT_MGR already set binder: 17958:17983 ioctl 40046207 0 returned -16 binder_alloc: 17958: binder_alloc_buf, no vma binder: 17958:17983 transaction failed 29189/-3, size 0-0 line 2903 audit: type=1400 audit(1516434883.581:169): avc: denied { setopt } for pid=18022 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 audit: type=1400 audit(1516434884.137:170): avc: denied { getopt } for pid=18154 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1400 audit(1516434884.171:171): avc: denied { map } for pid=18147 comm="syz-executor3" path="socket:[42391]" dev="sockfs" ino=42391 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=socket permissive=1 APIC base relocation is unsupported by KVM audit: type=1400 audit(1516434884.363:172): avc: denied { write } for pid=18214 comm="syz-executor5" path="socket:[41697]" dev="sockfs" ino=41697 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_fib_lookup_socket permissive=1 QAT: Invalid ioctl QAT: Invalid ioctl dccp_close: ABORT with 140 bytes unread binder: 18333:18337 transaction failed 29189/-22, size 0-8 line 2788 binder: 18333:18352 transaction failed 29189/-22, size 0-8 line 2788 binder: 18333:18337 transaction failed 29189/-22, size 0-0 line 2788 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 audit: type=1400 audit(1516434884.902:173): avc: denied { map } for pid=18365 comm="syz-executor1" path="/dev/sg0" dev="devtmpfs" ino=8885 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1 binder: 18387:18391 ioctl 0 20570000 returned -22 binder: 18387:18400 ioctl 0 20570000 returned -22 QAT: Invalid ioctl QAT: Invalid ioctl 9pnet_virtio: no channels available for device ./file0/control QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl dccp_invalid_packet: P.Data Offset(66) too large SELinux: policydb version 1032944053 does not match my version range 15-31 SELinux: failed to load policy SELinux: policydb version 1032944053 does not match my version range 15-31 SELinux: failed to load policy QAT: Invalid ioctl QAT: Invalid ioctl ip_tunnel: non-ECT from 0.0.0.0 with TOS=0x3 ip_tunnel: non-ECT from 0.0.0.0 with TOS=0x3 audit: type=1326 audit(1516434887.705:174): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=19065 comm="syz-executor3" exe="/root/syz-executor3" sig=9 arch=40000003 syscall=240 compat=1 ip=0xf7f14c79 code=0x0 audit: type=1400 audit(1516434887.736:175): avc: denied { write } for pid=19063 comm="syz-executor2" name="net" dev="proc" ino=44457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=dir permissive=1 audit: type=1400 audit(1516434887.736:176): avc: denied { add_name } for pid=19063 comm="syz-executor2" name="pfkey" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=dir permissive=1 netlink: 'syz-executor6': attribute type 1 has an invalid length. netlink: 'syz-executor6': attribute type 1 has an invalid length. audit: type=1400 audit(1516434887.737:177): avc: denied { create } for pid=19063 comm="syz-executor2" name="pfkey" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:insmod_t:s0 tclass=file permissive=1 binder: 19065:19084 ioctl c0306201 20005000 returned -14 binder: 19065:19096 ioctl c0306201 20005000 returned -14 sctp: [Deprecated]: syz-executor3 (pid 19124) Use of int in maxseg socket option. Use struct sctp_assoc_value instead binder: 19238:19244 got transaction with invalid offsets size, 365 binder: 19238:19244 transaction failed 29201/-22, size 56-365 line 2939 binder: 19238:19244 ioctl ae03 10000 returned -22 binder_alloc: 19238: binder_alloc_buf, no vma binder: 19238:19250 transaction failed 29189/-3, size 56-365 line 2903 binder: BINDER_SET_CONTEXT_MGR already set binder: 19238:19244 ioctl 40046207 0 returned -16 binder: 19238:19244 ioctl ae03 10000 returned -22 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 SELinux: failed to load policy SELinux: failed to load policy binder: 19446:19460 ioctl c0106434 20000152 returned -22 binder: 19446:19451 ioctl 80084502 20000000 returned -22 binder: 19446:19451 ioctl c0306201 20002fd0 returned -14 binder: 19511:19515 ERROR: BC_REGISTER_LOOPER called without request binder: 19515 RLIMIT_NICE not set binder_alloc: binder_alloc_mmap_handler: 19511 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 19511:19515 ioctl 40046207 0 returned -16 binder_alloc: 19511: binder_alloc_buf, no vma binder: 19511:19533 transaction failed 29189/-3, size 0-0 line 2903 syz-executor0 (19669) used greatest stack depth: 13728 bytes left