Warning: Permanently added '10.128.0.168' (ECDSA) to the list of known hosts. executing program [ 60.812116] audit: type=1400 audit(1560715658.504:36): avc: denied { map } for pid=8029 comm="syz-executor068" path="/root/syz-executor068989011" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 61.103088] [ 61.105083] ======================================================== [ 61.112128] WARNING: possible irq lock inversion dependency detected [ 61.119424] 4.19.51 #23 Not tainted [ 61.123057] -------------------------------------------------------- [ 61.129640] syz-executor068/8031 just changed the state of lock: [ 61.135900] 000000004926c8ee (&ctx->fault_pending_wqh){+.+.}, at: userfaultfd_release+0x4d6/0x720 [ 61.146020] but this lock was taken by another, SOFTIRQ-safe lock in the past: [ 61.153496] (&(&ctx->ctx_lock)->rlock){..-.} [ 61.153513] [ 61.153513] [ 61.153513] and interrupts could create inverse lock ordering between them. [ 61.153513] [ 61.171122] [ 61.171122] other info that might help us debug this: [ 61.178943] Chain exists of: [ 61.178943] &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh [ 61.178943] [ 61.191112] Possible interrupt unsafe locking scenario: [ 61.191112] [ 61.198783] CPU0 CPU1 [ 61.205799] ---- ---- [ 61.210674] lock(&ctx->fault_pending_wqh); [ 61.216244] local_irq_disable(); [ 61.222323] lock(&(&ctx->ctx_lock)->rlock); [ 61.229588] lock(&ctx->fd_wqh); [ 61.235762] [ 61.238735] lock(&(&ctx->ctx_lock)->rlock); [ 61.244875] [ 61.244875] *** DEADLOCK *** [ 61.244875] [ 61.251951] no locks held by syz-executor068/8031. [ 61.259391] [ 61.259391] the shortest dependencies between 2nd lock and 1st lock: [ 61.267582] -> (&(&ctx->ctx_lock)->rlock){..-.} ops: 2 { [ 61.273651] IN-SOFTIRQ-W at: [ 61.277146] lock_acquire+0x16f/0x3f0 [ 61.282980] _raw_spin_lock_irq+0x60/0x80 [ 61.289377] free_ioctx_users+0x2d/0x490 [ 61.296012] percpu_ref_switch_to_atomic_rcu+0x407/0x540 [ 61.303883] rcu_process_callbacks+0xba0/0x1a30 [ 61.311485] __do_softirq+0x25c/0x921 [ 61.317721] irq_exit+0x180/0x1d0 [ 61.324445] smp_apic_timer_interrupt+0x13b/0x550 [ 61.335897] apic_timer_interrupt+0xf/0x20 [ 61.342801] native_safe_halt+0xe/0x10 [ 61.348745] arch_cpu_idle+0xa/0x10 [ 61.354465] default_idle_call+0x36/0x90 [ 61.360771] do_idle+0x377/0x560 [ 61.367264] cpu_startup_entry+0xc8/0xe0 [ 61.373869] rest_init+0xf1/0xf6 [ 61.379274] start_kernel+0x88c/0x8c5 [ 61.385077] x86_64_start_reservations+0x29/0x2b [ 61.391831] x86_64_start_kernel+0x77/0x7b [ 61.398082] secondary_startup_64+0xa4/0xb0 [ 61.406721] INITIAL USE at: [ 61.410361] lock_acquire+0x16f/0x3f0 [ 61.416091] _raw_spin_lock_irq+0x60/0x80 [ 61.422192] io_submit_one+0xead/0x2eb0 [ 61.428202] __x64_sys_io_submit+0x1aa/0x520 [ 61.435407] do_syscall_64+0xfd/0x620 [ 61.442341] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 61.449864] } [ 61.451861] ... key at: [] __key.50192+0x0/0x40 [ 61.459761] ... acquired at: [ 61.463049] _raw_spin_lock+0x2f/0x40 [ 61.467032] io_submit_one+0xef2/0x2eb0 [ 61.471211] __x64_sys_io_submit+0x1aa/0x520 [ 61.475907] do_syscall_64+0xfd/0x620 [ 61.480278] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 61.486187] [ 61.488085] -> (&ctx->fd_wqh){....} ops: 4 { [ 61.492692] INITIAL USE at: [ 61.495978] lock_acquire+0x16f/0x3f0 [ 61.501597] _raw_spin_lock_irq+0x60/0x80 [ 61.507538] userfaultfd_read+0x262/0x18c0 [ 61.514217] do_iter_read+0x490/0x640 [ 61.521085] vfs_readv+0xf0/0x160 [ 61.526291] do_readv+0x15e/0x370 [ 61.531522] __x64_sys_readv+0x75/0xb0 [ 61.539307] do_syscall_64+0xfd/0x620 [ 61.545043] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 61.552154] } [ 61.554050] ... key at: [] __key.43729+0x0/0x40 [ 61.560883] ... acquired at: [ 61.564994] _raw_spin_lock+0x2f/0x40 [ 61.569005] userfaultfd_read+0x394/0x18c0 [ 61.573445] do_iter_read+0x490/0x640 [ 61.577417] vfs_readv+0xf0/0x160 [ 61.581033] do_readv+0x15e/0x370 [ 61.584648] __x64_sys_readv+0x75/0xb0 [ 61.588784] do_syscall_64+0xfd/0x620 [ 61.594254] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 61.599628] [ 61.601245] -> (&ctx->fault_pending_wqh){+.+.} ops: 3 { [ 61.606600] HARDIRQ-ON-W at: [ 61.609884] lock_acquire+0x16f/0x3f0 [ 61.615520] _raw_spin_lock+0x2f/0x40 [ 61.621494] userfaultfd_release+0x4d6/0x720 [ 61.627662] __fput+0x2dd/0x8b0 [ 61.632587] ____fput+0x16/0x20 [ 61.637541] task_work_run+0x145/0x1c0 [ 61.643079] do_exit+0x933/0x2fa0 [ 61.648175] do_group_exit+0x135/0x370 [ 61.653823] get_signal+0x3ec/0x1fc0 [ 61.659185] do_signal+0x95/0x1960 [ 61.664407] exit_to_usermode_loop+0x244/0x2c0 [ 61.672313] do_syscall_64+0x53d/0x620 [ 61.677849] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 61.684693] SOFTIRQ-ON-W at: [ 61.687971] lock_acquire+0x16f/0x3f0 [ 61.693421] _raw_spin_lock+0x2f/0x40 [ 61.698896] userfaultfd_release+0x4d6/0x720 [ 61.705976] __fput+0x2dd/0x8b0 [ 61.711642] ____fput+0x16/0x20 [ 61.716576] task_work_run+0x145/0x1c0 [ 61.722138] do_exit+0x933/0x2fa0 [ 61.728173] do_group_exit+0x135/0x370 [ 61.733713] get_signal+0x3ec/0x1fc0 [ 61.739081] do_signal+0x95/0x1960 [ 61.744416] exit_to_usermode_loop+0x244/0x2c0 [ 61.750654] do_syscall_64+0x53d/0x620 [ 61.757024] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 61.763877] INITIAL USE at: [ 61.767075] lock_acquire+0x16f/0x3f0 [ 61.772653] _raw_spin_lock+0x2f/0x40 [ 61.780065] userfaultfd_read+0x394/0x18c0 [ 61.787221] do_iter_read+0x490/0x640 [ 61.792808] vfs_readv+0xf0/0x160 [ 61.798256] do_readv+0x15e/0x370 [ 61.804457] __x64_sys_readv+0x75/0xb0 [ 61.809921] do_syscall_64+0xfd/0x620 [ 61.815309] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 61.822058] } [ 61.823867] ... key at: [] __key.43726+0x0/0x40 [ 61.830725] ... acquired at: [ 61.833855] mark_lock+0x420/0x1370 [ 61.837653] __lock_acquire+0x6b5/0x48f0 [ 61.841881] lock_acquire+0x16f/0x3f0 [ 61.845848] _raw_spin_lock+0x2f/0x40 [ 61.849911] userfaultfd_release+0x4d6/0x720 [ 61.854915] __fput+0x2dd/0x8b0 [ 61.859301] ____fput+0x16/0x20 [ 61.862782] task_work_run+0x145/0x1c0 [ 61.866834] do_exit+0x933/0x2fa0 [ 61.870458] do_group_exit+0x135/0x370 [ 61.874509] get_signal+0x3ec/0x1fc0 [ 61.878684] do_signal+0x95/0x1960 [ 61.882400] exit_to_usermode_loop+0x244/0x2c0 [ 61.887150] do_syscall_64+0x53d/0x620 [ 61.891884] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 61.897236] [ 61.898888] [ 61.898888] stack backtrace: [ 61.904353] CPU: 0 PID: 8031 Comm: syz-executor068 Not tainted 4.19.51 #23 [ 61.911360] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.920832] Call Trace: [ 61.923848] dump_stack+0x172/0x1f0 [ 61.927918] print_irq_inversion_bug.part.0+0x2c0/0x2cd [ 61.933314] check_usage_backwards.cold+0x1d/0x26 [ 61.938209] ? print_shortest_lock_dependencies+0x90/0x90 [ 61.943844] ? save_stack_trace+0x1a/0x20 [ 61.948512] ? save_trace+0xe0/0x290 [ 61.952513] mark_lock+0x420/0x1370 [ 61.956143] ? print_shortest_lock_dependencies+0x90/0x90 [ 61.961682] __lock_acquire+0x6b5/0x48f0 [ 61.965760] ? is_bpf_text_address+0xd3/0x170 [ 61.970269] ? kernel_text_address+0x73/0xf0 [ 61.976141] ? mark_held_locks+0x100/0x100 [ 61.980386] ? __lock_acquire+0x6eb/0x48f0 [ 61.984629] ? __lock_acquire+0x6eb/0x48f0 [ 61.989087] ? free_fs_struct+0x4f/0x70 [ 61.993069] ? do_exit+0x902/0x2fa0 [ 61.996722] lock_acquire+0x16f/0x3f0 [ 62.000526] ? userfaultfd_release+0x4d6/0x720 [ 62.005193] _raw_spin_lock+0x2f/0x40 [ 62.009327] ? userfaultfd_release+0x4d6/0x720 [ 62.014024] userfaultfd_release+0x4d6/0x720 [ 62.018450] ? userfaultfd_ctx_get+0x1a0/0x1a0 [ 62.023048] ? ___might_sleep+0x163/0x280 [ 62.027223] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 62.036616] ? ima_file_free+0xc9/0x4a0 [ 62.040600] ? userfaultfd_ctx_get+0x1a0/0x1a0 [ 62.045273] __fput+0x2dd/0x8b0 [ 62.048565] ____fput+0x16/0x20 [ 62.051870] task_work_run+0x145/0x1c0 [ 62.055779] do_exit+0x933/0x2fa0 [ 62.059316] ? get_signal+0x384/0x1fc0 [ 62.063219] ? mm_update_next_owner+0x660/0x660 [ 62.067883] ? _raw_spin_unlock_irq+0x28/0x90 [ 62.072389] ? get_signal+0x384/0x1fc0 [ 62.076273] ? _raw_spin_unlock_irq+0x28/0x90 [ 62.081066] do_group_exit+0x135/0x370 [ 62.084977] get_signal+0x3ec/0x1fc0 [ 62.088754] ? mark_held_locks+0x100/0x100 [ 62.093166] do_signal+0x95/0x1960 [ 62.096729] ? __x64_sys_io_submit+0x2e8/0x520 [ 62.101324] ? setup_sigcontext+0x7d0/0x7d0 [ 62.105704] ? lock_downgrade+0x810/0x810 [ 62.109864] ? kasan_check_read+0x11/0x20 [ 62.114122] ? __x64_sys_futex+0x40d/0x590 [ 62.118356] ? exit_to_usermode_loop+0x43/0x2c0 [ 62.123058] ? do_syscall_64+0x53d/0x620 [ 62.127146] ? exit_to_usermode_loop+0x43/0x2c0 [ 62.132301] ? lockdep_hardirqs_on+0x415/0x5d0 [ 62.136901] ? trace_hardirqs_on+0x67/0x220 [ 62.141227] exit_to_usermode_loop+0x244/0x2c0 [ 62.145816] do_syscall_64+0x53d/0x620 [ 62.149853] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 62.155464] RIP: 0033:0x445919 [ 62.158703] C