possible deadlock in userfaultfd_read
8 views
Skip to first unread message
syzbot
Jun 5, 2019, 11:40:06 PM6/5/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: e109a984 Linux 4.19.48
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16b8b01ea00000
kernel config: https://syzkaller.appspot.com/x/.config?x=2d14dd88554f26bc
dashboard link: https://syzkaller.appspot.com/bug?extid=5d6306ec057f3482ff50
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+5d6306...@syzkaller.appspotmail.com
=====================================================
WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected
4.19.48 #20 Not tainted
-----------------------------------------------------
syz-executor.4/24643 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire:
0000000007635533 (&ctx->fault_pending_wqh){+.+.}, at: spin_lock
include/linux/spinlock.h:329 [inline]
0000000007635533 (&ctx->fault_pending_wqh){+.+.}, at: userfaultfd_ctx_read
fs/userfaultfd.c:1046 [inline]
0000000007635533 (&ctx->fault_pending_wqh){+.+.}, at:
userfaultfd_read+0x394/0x18c0 fs/userfaultfd.c:1204
and this task is already holding:
kobject: 'loop2' (0000000027a93f38): kobject_uevent_env
00000000703bca58 (&ctx->fd_wqh){....}, at: spin_lock_irq
include/linux/spinlock.h:354 [inline]
00000000703bca58 (&ctx->fd_wqh){....}, at: userfaultfd_ctx_read
fs/userfaultfd.c:1042 [inline]
00000000703bca58 (&ctx->fd_wqh){....}, at: userfaultfd_read+0x262/0x18c0
fs/userfaultfd.c:1204
which would create a new lock dependency:
(&ctx->fd_wqh){....} -> (&ctx->fault_pending_wqh){+.+.}
but this new dependency connects a SOFTIRQ-irq-safe lock:
kobject: 'loop2' (0000000027a93f38): fill_kobj_path: path
= '/devices/virtual/block/loop2'
(&(&ctx->ctx_lock)->rlock){..-.}
... which became SOFTIRQ-irq-safe at:
lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3900
__raw_spin_lock_irq include/linux/spinlock_api_smp.h:128 [inline]
_raw_spin_lock_irq+0x60/0x80 kernel/locking/spinlock.c:160
spin_lock_irq include/linux/spinlock.h:354 [inline]
free_ioctx_users+0x2d/0x490 fs/aio.c:614
percpu_ref_put_many include/linux/percpu-refcount.h:284 [inline]
percpu_ref_put include/linux/percpu-refcount.h:300 [inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:123 [inline]
percpu_ref_switch_to_atomic_rcu+0x407/0x540 lib/percpu-refcount.c:158
__rcu_reclaim kernel/rcu/rcu.h:236 [inline]
rcu_do_batch kernel/rcu/tree.c:2584 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:2897 [inline]
__rcu_process_callbacks kernel/rcu/tree.c:2864 [inline]
rcu_process_callbacks+0xba0/0x1a30 kernel/rcu/tree.c:2881
__do_softirq+0x25c/0x921 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:372 [inline]
irq_exit+0x180/0x1d0 kernel/softirq.c:412
exiting_irq arch/x86/include/asm/apic.h:536 [inline]
smp_apic_timer_interrupt+0x13b/0x550 arch/x86/kernel/apic/apic.c:1056
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:869
to a SOFTIRQ-irq-unsafe lock:
(&ctx->fault_pending_wqh){+.+.}
... which became SOFTIRQ-irq-unsafe at:
...
lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3900
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:329 [inline]
userfaultfd_release+0x4d6/0x720 fs/userfaultfd.c:922
__fput+0x2dd/0x8b0 fs/file_table.c:278
____fput+0x16/0x20 fs/file_table.c:309
task_work_run+0x145/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x273/0x2c0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x53d/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
other info that might help us debug this:
Chain exists of:
&(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh
Possible interrupt unsafe locking scenario:
erofs: read_super, device -> /dev/loop2
CPU0 CPU1
---- ----
lock(&ctx->fault_pending_wqh);
local_irq_disable();
lock(&(&ctx->ctx_lock)->rlock);
lock(&ctx->fd_wqh);
<Interrupt>
lock(&(&ctx->ctx_lock)->rlock);
*** DEADLOCK ***
1 lock held by syz-executor.4/24643:
#0: 00000000703bca58 (
erofs: options ->
&ctx->fd_wqh){....}, at: spin_lock_irq include/linux/spinlock.h:354 [inline]
&ctx->fd_wqh){....}, at: userfaultfd_ctx_read fs/userfaultfd.c:1042 [inline]
&ctx->fd_wqh){....}, at: userfaultfd_read+0x262/0x18c0 fs/userfaultfd.c:1204
the dependencies between SOFTIRQ-irq-safe lock and the holding lock:
-> (&(&ctx->ctx_lock)->rlock){..-.} ops: 185 {
IN-SOFTIRQ-W at:
lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3900
__raw_spin_lock_irq
include/linux/spinlock_api_smp.h:128 [inline]
_raw_spin_lock_irq+0x60/0x80
kernel/locking/spinlock.c:160
spin_lock_irq include/linux/spinlock.h:354 [inline]
free_ioctx_users+0x2d/0x490 fs/aio.c:614
percpu_ref_put_many
include/linux/percpu-refcount.h:284 [inline]
percpu_ref_put include/linux/percpu-refcount.h:300
[inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:123
[inline]
percpu_ref_switch_to_atomic_rcu+0x407/0x540
lib/percpu-refcount.c:158
__rcu_reclaim kernel/rcu/rcu.h:236 [inline]
rcu_do_batch kernel/rcu/tree.c:2584 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:2897 [inline]
__rcu_process_callbacks kernel/rcu/tree.c:2864
[inline]
rcu_process_callbacks+0xba0/0x1a30
kernel/rcu/tree.c:2881
__do_softirq+0x25c/0x921 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:372 [inline]
irq_exit+0x180/0x1d0 kernel/softirq.c:412
erofs: cannot find valid erofs superblock
exiting_irq arch/x86/include/asm/apic.h:536 [inline]
smp_apic_timer_interrupt+0x13b/0x550
arch/x86/kernel/apic/apic.c:1056
apic_timer_interrupt+0xf/0x20
arch/x86/entry/entry_64.S:869
INITIAL USE at:
lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3900
__raw_spin_lock_irq
include/linux/spinlock_api_smp.h:128 [inline]
_raw_spin_lock_irq+0x60/0x80
kernel/locking/spinlock.c:160
spin_lock_irq include/linux/spinlock.h:354 [inline]
free_ioctx_users+0x2d/0x490 fs/aio.c:614
percpu_ref_put_many
include/linux/percpu-refcount.h:284 [inline]
percpu_ref_put include/linux/percpu-refcount.h:300
[inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:123
[inline]
percpu_ref_switch_to_atomic_rcu+0x407/0x540
lib/percpu-refcount.c:158
__rcu_reclaim kernel/rcu/rcu.h:236 [inline]
rcu_do_batch kernel/rcu/tree.c:2584 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:2897 [inline]
__rcu_process_callbacks kernel/rcu/tree.c:2864 [inline]
rcu_process_callbacks+0xba0/0x1a30
kernel/rcu/tree.c:2881
__do_softirq+0x25c/0x921 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:372 [inline]
irq_exit+0x180/0x1d0 kernel/softirq.c:412
exiting_irq arch/x86/include/asm/apic.h:536 [inline]
smp_apic_timer_interrupt+0x13b/0x550
arch/x86/kernel/apic/apic.c:1056
kobject: 'kvm' (0000000018211d98): kobject_uevent_env
apic_timer_interrupt+0xf/0x20
arch/x86/entry/entry_64.S:869
}
... key at: [<ffffffff8a3813a0>] __key.50187+0x0/0x40
... acquired at:
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:329 [inline]
aio_poll fs/aio.c:1741 [inline]
__io_submit_one fs/aio.c:1849 [inline]
io_submit_one+0xef2/0x2eb0 fs/aio.c:1885
__do_sys_io_submit fs/aio.c:1929 [inline]
__se_sys_io_submit fs/aio.c:1900 [inline]
__x64_sys_io_submit+0x1aa/0x520 fs/aio.c:1900
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
-> (&ctx->fd_wqh){....} ops: 89 {
INITIAL USE at:
lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3900
__raw_spin_lock_irqsave
include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x95/0xcd
kernel/locking/spinlock.c:152
__wake_up_common_lock+0xc7/0x190 kernel/sched/wait.c:120
__wake_up+0xe/0x10 kernel/sched/wait.c:145
userfaultfd_release+0x534/0x720 fs/userfaultfd.c:930
__fput+0x2dd/0x8b0 fs/file_table.c:278
____fput+0x16/0x20 fs/file_table.c:309
task_work_run+0x145/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193
[inline]
exit_to_usermode_loop+0x273/0x2c0
arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198
[inline]
syscall_return_slowpath arch/x86/entry/common.c:271
[inline]
do_syscall_64+0x53d/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
}
... key at: [<ffffffff8a381120>] __key.43724+0x0/0x40
... acquired at:
lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3900
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:329 [inline]
userfaultfd_ctx_read fs/userfaultfd.c:1046 [inline]
userfaultfd_read+0x394/0x18c0 fs/userfaultfd.c:1204
__vfs_read+0x114/0x800 fs/read_write.c:416
vfs_read+0x194/0x3d0 fs/read_write.c:452
ksys_read+0x14f/0x2d0 fs/read_write.c:579
__do_sys_read fs/read_write.c:589 [inline]
__se_sys_read fs/read_write.c:587 [inline]
__x64_sys_read+0x73/0xb0 fs/read_write.c:587
kobject: 'kvm' (0000000018211d98): fill_kobj_path: path
= '/devices/virtual/misc/kvm'
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
the dependencies between the lock to be acquired
and SOFTIRQ-irq-unsafe lock:
-> (&ctx->fault_pending_wqh){+.+.} ops: 81 {
HARDIRQ-ON-W at:
lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3900
__raw_spin_lock include/linux/spinlock_api_smp.h:142
[inline]
_raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:329 [inline]
userfaultfd_release+0x4d6/0x720 fs/userfaultfd.c:922
__fput+0x2dd/0x8b0 fs/file_table.c:278
____fput+0x16/0x20 fs/file_table.c:309
task_work_run+0x145/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193
[inline]
exit_to_usermode_loop+0x273/0x2c0
arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198
[inline]
syscall_return_slowpath arch/x86/entry/common.c:271
[inline]
do_syscall_64+0x53d/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
SOFTIRQ-ON-W at:
lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3900
__raw_spin_lock include/linux/spinlock_api_smp.h:142
[inline]
_raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:329 [inline]
userfaultfd_release+0x4d6/0x720 fs/userfaultfd.c:922
__fput+0x2dd/0x8b0 fs/file_table.c:278
____fput+0x16/0x20 fs/file_table.c:309
task_work_run+0x145/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193
[inline]
exit_to_usermode_loop+0x273/0x2c0
arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198
[inline]
syscall_return_slowpath arch/x86/entry/common.c:271
[inline]
do_syscall_64+0x53d/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
INITIAL USE at:
lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3900
__raw_spin_lock include/linux/spinlock_api_smp.h:142
[inline]
_raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:329 [inline]
userfaultfd_release+0x4d6/0x720 fs/userfaultfd.c:922
__fput+0x2dd/0x8b0 fs/file_table.c:278
____fput+0x16/0x20 fs/file_table.c:309
task_work_run+0x145/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193
[inline]
exit_to_usermode_loop+0x273/0x2c0
arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198
[inline]
syscall_return_slowpath arch/x86/entry/common.c:271
[inline]
do_syscall_64+0x53d/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
}
... key at: [<ffffffff8a3811e0>] __key.43721+0x0/0x40
... acquired at:
lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3900
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:329 [inline]
userfaultfd_ctx_read fs/userfaultfd.c:1046 [inline]
userfaultfd_read+0x394/0x18c0 fs/userfaultfd.c:1204
__vfs_read+0x114/0x800 fs/read_write.c:416
vfs_read+0x194/0x3d0 fs/read_write.c:452
ksys_read+0x14f/0x2d0 fs/read_write.c:579
__do_sys_read fs/read_write.c:589 [inline]
__se_sys_read fs/read_write.c:587 [inline]
__x64_sys_read+0x73/0xb0 fs/read_write.c:587
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
stack backtrace:
CPU: 1 PID: 24643 Comm: syz-executor.4 Not tainted 4.19.48 #20
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
print_bad_irq_dependency kernel/locking/lockdep.c:1568 [inline]
check_usage.cold+0x611/0x946 kernel/locking/lockdep.c:1600
check_irq_usage kernel/locking/lockdep.c:1656 [inline]
check_prev_add_irq kernel/locking/lockdep_states.h:8 [inline]
check_prev_add kernel/locking/lockdep.c:1866 [inline]
check_prevs_add kernel/locking/lockdep.c:1974 [inline]
validate_chain kernel/locking/lockdep.c:2415 [inline]
__lock_acquire+0x1ee4/0x48f0 kernel/locking/lockdep.c:3411
lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3900
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:329 [inline]
userfaultfd_ctx_read fs/userfaultfd.c:1046 [inline]
userfaultfd_read+0x394/0x18c0 fs/userfaultfd.c:1204
__vfs_read+0x114/0x800 fs/read_write.c:416
vfs_read+0x194/0x3d0 fs/read_write.c:452
ksys_read+0x14f/0x2d0 fs/read_write.c:579
__do_sys_read fs/read_write.c:589 [inline]
__se_sys_read fs/read_write.c:587 [inline]
__x64_sys_read+0x73/0xb0 fs/read_write.c:587
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x459279
Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f212ef1cc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459279
RDX: 0000000000000043 RSI: 0000000020000240 RDI: 0000000000000003
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f212ef1d6d4
R13: 00000000004c5109 R14: 00000000004dabe8 R15: 00000000ffffffff
kobject: 'kvm' (0000000018211d98): kobject_uevent_env
kobject: 'kvm' (0000000018211d98): fill_kobj_path: path
= '/devices/virtual/misc/kvm'
kobject: 'loop2' (0000000027a93f38): kobject_uevent_env
kobject: 'loop2' (0000000027a93f38): fill_kobj_path: path
= '/devices/virtual/block/loop2'
kobject: 'loop0' (00000000915ad2b4): kobject_uevent_env
kobject: 'loop0' (00000000915ad2b4): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kauditd_printk_skb: 138 callbacks suppressed
audit: type=1400 audit(1559788745.063:1266): avc: denied { map } for
pid=24794 comm="blkid" path="/etc/ld.so.cache" dev="sda1" ino=2251
scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=file permissive=1
kobject: 'loop3' (00000000c75e4c9c): kobject_uevent_env
kobject: 'loop3' (00000000c75e4c9c): fill_kobj_path: path
= '/devices/virtual/block/loop3'
audit: type=1400 audit(1559788745.073:1267): avc: denied { map } for
pid=24794 comm="blkid" path="/lib/x86_64-linux-gnu/libblkid.so.1.1.0"
dev="sda1" ino=2825 scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
kobject: 'loop4' (00000000da53a6db): kobject_uevent_env
audit: type=1400 audit(1559788745.073:1268): avc: denied { map } for
pid=24794 comm="blkid" path="/lib/x86_64-linux-gnu/libblkid.so.1.1.0"
dev="sda1" ino=2825 scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
kobject: 'loop4' (00000000da53a6db): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop5' (000000004fa331d5): kobject_uevent_env
audit: type=1400 audit(1559788745.113:1269): avc: denied { map } for
pid=24794 comm="blkid" path="/lib/x86_64-linux-gnu/libc-2.13.so" dev="sda1"
ino=2784 scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
kobject: 'loop5' (000000004fa331d5): fill_kobj_path: path
= '/devices/virtual/block/loop5'
audit: type=1400 audit(1559788745.123:1270): avc: denied { map } for
pid=24794 comm="blkid" path="/lib/x86_64-linux-gnu/libc-2.13.so" dev="sda1"
ino=2784 scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
kobject: 'loop1' (00000000bb121abb): kobject_uevent_env
kobject: 'loop1' (00000000bb121abb): fill_kobj_path: path
= '/devices/virtual/block/loop1'
audit: type=1400 audit(1559788745.153:1271): avc: denied { map } for
pid=24794 comm="blkid" path="/lib/x86_64-linux-gnu/libuuid.so.1.3.0"
dev="sda1" ino=2819 scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
audit: audit_backlog=65 > audit_backlog_limit=64
audit: type=1400 audit(1559788745.153:1272): avc: denied { map } for
pid=24794 comm="blkid" path="/lib/x86_64-linux-gnu/libuuid.so.1.3.0"
dev="sda1" ino=2819 scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
audit: audit_lost=23 audit_rate_limit=0 audit_backlog_limit=64
audit: backlog limit exceeded
kobject: 'loop3' (00000000c75e4c9c): kobject_uevent_env
kobject: 'loop3' (00000000c75e4c9c): fill_kobj_path: path
= '/devices/virtual/block/loop3'
kobject: 'loop0' (00000000915ad2b4): kobject_uevent_env
kobject: 'loop0' (00000000915ad2b4): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop1' (00000000bb121abb): kobject_uevent_env
kobject: 'loop1' (00000000bb121abb): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop5' (000000004fa331d5): kobject_uevent_env
kobject: 'loop5' (000000004fa331d5): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop4' (00000000da53a6db): kobject_uevent_env
kobject: 'loop4' (00000000da53a6db): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop3' (00000000c75e4c9c): kobject_uevent_env
kobject: 'loop3' (00000000c75e4c9c): fill_kobj_path: path
= '/devices/virtual/block/loop3'
kobject: 'loop0' (00000000915ad2b4): kobject_uevent_env
kobject: 'loop0' (00000000915ad2b4): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop2' (0000000027a93f38): kobject_uevent_env
kobject: 'loop2' (0000000027a93f38): fill_kobj_path: path
= '/devices/virtual/block/loop2'
kobject: 'loop5' (000000004fa331d5): kobject_uevent_env
kobject: 'loop5' (000000004fa331d5): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop3' (00000000c75e4c9c): kobject_uevent_env
kobject: 'loop3' (00000000c75e4c9c): fill_kobj_path: path
= '/devices/virtual/block/loop3'
kobject: 'loop1' (00000000bb121abb): kobject_uevent_env
kobject: 'loop1' (00000000bb121abb): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop2' (0000000027a93f38): kobject_uevent_env
kobject: 'loop2' (0000000027a93f38): fill_kobj_path: path
= '/devices/virtual/block/loop2'
kobject: 'loop4' (00000000da53a6db): kobject_uevent_env
kobject: 'loop4' (00000000da53a6db): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop5' (000000004fa331d5): kobject_uevent_env
kobject: 'loop5' (000000004fa331d5): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop0' (00000000915ad2b4): kobject_uevent_env
kobject: 'loop0' (00000000915ad2b4): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop3' (00000000c75e4c9c): kobject_uevent_env
kobject: 'loop3' (00000000c75e4c9c): fill_kobj_path: path
= '/devices/virtual/block/loop3'
kobject: 'loop1' (00000000bb121abb): kobject_uevent_env
kobject: 'loop1' (00000000bb121abb): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop4' (00000000da53a6db): kobject_uevent_env
kobject: 'loop4' (00000000da53a6db): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop5' (000000004fa331d5): kobject_uevent_env
kobject: 'loop5' (000000004fa331d5): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop3' (00000000c75e4c9c): kobject_uevent_env
kobject: 'loop3' (00000000c75e4c9c): fill_kobj_path: path
= '/devices/virtual/block/loop3'
kobject: 'loop0' (00000000915ad2b4): kobject_uevent_env
kobject: 'loop0' (00000000915ad2b4): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop5' (000000004fa331d5): kobject_uevent_env
kauditd_printk_skb: 359 callbacks suppressed
audit: type=1400 audit(1559788750.101:1623): avc: denied { map } for
pid=25513 comm="blkid" path="/lib/x86_64-linux-gnu/libc-2.13.so" dev="sda1"
ino=2784 scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
kobject: 'loop5' (000000004fa331d5): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop3' (00000000c75e4c9c): kobject_uevent_env
kobject: 'loop3' (00000000c75e4c9c): fill_kobj_path: path
= '/devices/virtual/block/loop3'
audit: type=1400 audit(1559788750.131:1624): avc: denied { map } for
pid=25513 comm="blkid" path="/lib/x86_64-linux-gnu/libc-2.13.so" dev="sda1"
ino=2784 scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
kobject: 'loop1' (00000000bb121abb): kobject_uevent_env
kobject: 'loop1' (00000000bb121abb): fill_kobj_path: path
= '/devices/virtual/block/loop1'
audit: type=1400 audit(1559788750.171:1625): avc: denied { map } for
pid=25513 comm="blkid" path="/lib/x86_64-linux-gnu/libuuid.so.1.3.0"
dev="sda1" ino=2819 scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
kobject: 'loop4' (00000000da53a6db): kobject_uevent_env
audit: type=1400 audit(1559788750.171:1626): avc: denied { map } for
pid=25513 comm="blkid" path="/lib/x86_64-linux-gnu/libuuid.so.1.3.0"
dev="sda1" ino=2819 scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
kobject: 'loop4' (00000000da53a6db): fill_kobj_path: path
= '/devices/virtual/block/loop4'
audit: type=1400 audit(1559788750.261:1627): avc: denied { map } for
pid=25519 comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128
scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=file permissive=1
kobject: 'loop5' (000000004fa331d5): kobject_uevent_env
kobject: 'loop5' (000000004fa331d5): fill_kobj_path: path
= '/devices/virtual/block/loop5'
audit: type=1400 audit(1559788750.281:1628): avc: denied { map } for
pid=25519 comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128
scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=file permissive=1
kobject: 'loop3' (00000000c75e4c9c): kobject_uevent_env
kobject: 'loop3' (00000000c75e4c9c): fill_kobj_path: path
= '/devices/virtual/block/loop3'
audit: type=1400 audit(1559788750.321:1629): avc: denied { map } for
pid=25519 comm="blkid" path="/lib/x86_64-linux-gnu/ld-2.13.so" dev="sda1"
ino=2668 scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
kobject: 'loop0' (00000000915ad2b4): kobject_uevent_env
audit: audit_backlog=65 > audit_backlog_limit=64
kobject: 'loop0' (00000000915ad2b4): fill_kobj_path: path
= '/devices/virtual/block/loop0'
audit: type=1400 audit(1559788750.331:1630): avc: denied { map } for
pid=25519 comm="blkid" path="/lib/x86_64-linux-gnu/ld-2.13.so" dev="sda1"
ino=2668 scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
audit: audit_lost=27 audit_rate_limit=0 audit_backlog_limit=64
kobject: 'loop1' (00000000bb121abb): kobject_uevent_env
kobject: 'loop1' (00000000bb121abb): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop4' (00000000da53a6db): kobject_uevent_env
kobject: 'loop4' (00000000da53a6db): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop3' (00000000c75e4c9c): kobject_uevent_env
kobject: 'loop3' (00000000c75e4c9c): fill_kobj_path: path
= '/devices/virtual/block/loop3'
kobject: 'loop0' (00000000915ad2b4): kobject_uevent_env
kobject: 'loop0' (00000000915ad2b4): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop5' (000000004fa331d5): kobject_uevent_env
kobject: 'loop5' (000000004fa331d5): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop2' (0000000027a93f38): kobject_uevent_env
kobject: 'loop2' (0000000027a93f38): fill_kobj_path: path
= '/devices/virtual/block/loop2'
kobject: 'loop1' (00000000bb121abb): kobject_uevent_env
kobject: 'loop1' (00000000bb121abb): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop0' (00000000915ad2b4): kobject_uevent_env
kobject: 'loop0' (00000000915ad2b4): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop3' (00000000c75e4c9c): kobject_uevent_env
kobject: 'loop3' (00000000c75e4c9c): fill_kobj_path: path
= '/devices/virtual/block/loop3'
kobject: 'loop4' (00000000da53a6db): kobject_uevent_env
kobject: 'loop4' (00000000da53a6db): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop5' (000000004fa331d5): kobject_uevent_env
kobject: 'loop5' (000000004fa331d5): fill_kobj_path: path
= '/devices/virtual/block/loop5'
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: e109a984 Linux 4.19.48
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16b8b01ea00000
kernel config: https://syzkaller.appspot.com/x/.config?x=2d14dd88554f26bc
dashboard link: https://syzkaller.appspot.com/bug?extid=5d6306ec057f3482ff50
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+5d6306...@syzkaller.appspotmail.com
=====================================================
WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected
4.19.48 #20 Not tainted
-----------------------------------------------------
syz-executor.4/24643 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire:
0000000007635533 (&ctx->fault_pending_wqh){+.+.}, at: spin_lock
include/linux/spinlock.h:329 [inline]
0000000007635533 (&ctx->fault_pending_wqh){+.+.}, at: userfaultfd_ctx_read
fs/userfaultfd.c:1046 [inline]
0000000007635533 (&ctx->fault_pending_wqh){+.+.}, at:
userfaultfd_read+0x394/0x18c0 fs/userfaultfd.c:1204
and this task is already holding:
kobject: 'loop2' (0000000027a93f38): kobject_uevent_env
00000000703bca58 (&ctx->fd_wqh){....}, at: spin_lock_irq
include/linux/spinlock.h:354 [inline]
00000000703bca58 (&ctx->fd_wqh){....}, at: userfaultfd_ctx_read
fs/userfaultfd.c:1042 [inline]
00000000703bca58 (&ctx->fd_wqh){....}, at: userfaultfd_read+0x262/0x18c0
fs/userfaultfd.c:1204
which would create a new lock dependency:
(&ctx->fd_wqh){....} -> (&ctx->fault_pending_wqh){+.+.}
but this new dependency connects a SOFTIRQ-irq-safe lock:
kobject: 'loop2' (0000000027a93f38): fill_kobj_path: path
= '/devices/virtual/block/loop2'
(&(&ctx->ctx_lock)->rlock){..-.}
... which became SOFTIRQ-irq-safe at:
lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3900
__raw_spin_lock_irq include/linux/spinlock_api_smp.h:128 [inline]
_raw_spin_lock_irq+0x60/0x80 kernel/locking/spinlock.c:160
spin_lock_irq include/linux/spinlock.h:354 [inline]
free_ioctx_users+0x2d/0x490 fs/aio.c:614
percpu_ref_put_many include/linux/percpu-refcount.h:284 [inline]
percpu_ref_put include/linux/percpu-refcount.h:300 [inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:123 [inline]
percpu_ref_switch_to_atomic_rcu+0x407/0x540 lib/percpu-refcount.c:158
__rcu_reclaim kernel/rcu/rcu.h:236 [inline]
rcu_do_batch kernel/rcu/tree.c:2584 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:2897 [inline]
__rcu_process_callbacks kernel/rcu/tree.c:2864 [inline]
rcu_process_callbacks+0xba0/0x1a30 kernel/rcu/tree.c:2881
__do_softirq+0x25c/0x921 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:372 [inline]
irq_exit+0x180/0x1d0 kernel/softirq.c:412
exiting_irq arch/x86/include/asm/apic.h:536 [inline]
smp_apic_timer_interrupt+0x13b/0x550 arch/x86/kernel/apic/apic.c:1056
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:869
to a SOFTIRQ-irq-unsafe lock:
(&ctx->fault_pending_wqh){+.+.}
... which became SOFTIRQ-irq-unsafe at:
...
lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3900
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:329 [inline]
userfaultfd_release+0x4d6/0x720 fs/userfaultfd.c:922
__fput+0x2dd/0x8b0 fs/file_table.c:278
____fput+0x16/0x20 fs/file_table.c:309
task_work_run+0x145/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x273/0x2c0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x53d/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
other info that might help us debug this:
Chain exists of:
&(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh
Possible interrupt unsafe locking scenario:
erofs: read_super, device -> /dev/loop2
CPU0 CPU1
---- ----
lock(&ctx->fault_pending_wqh);
local_irq_disable();
lock(&(&ctx->ctx_lock)->rlock);
lock(&ctx->fd_wqh);
<Interrupt>
lock(&(&ctx->ctx_lock)->rlock);
*** DEADLOCK ***
1 lock held by syz-executor.4/24643:
#0: 00000000703bca58 (
erofs: options ->
&ctx->fd_wqh){....}, at: spin_lock_irq include/linux/spinlock.h:354 [inline]
&ctx->fd_wqh){....}, at: userfaultfd_ctx_read fs/userfaultfd.c:1042 [inline]
&ctx->fd_wqh){....}, at: userfaultfd_read+0x262/0x18c0 fs/userfaultfd.c:1204
the dependencies between SOFTIRQ-irq-safe lock and the holding lock:
-> (&(&ctx->ctx_lock)->rlock){..-.} ops: 185 {
IN-SOFTIRQ-W at:
lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3900
__raw_spin_lock_irq
include/linux/spinlock_api_smp.h:128 [inline]
_raw_spin_lock_irq+0x60/0x80
kernel/locking/spinlock.c:160
spin_lock_irq include/linux/spinlock.h:354 [inline]
free_ioctx_users+0x2d/0x490 fs/aio.c:614
percpu_ref_put_many
include/linux/percpu-refcount.h:284 [inline]
percpu_ref_put include/linux/percpu-refcount.h:300
[inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:123
[inline]
percpu_ref_switch_to_atomic_rcu+0x407/0x540
lib/percpu-refcount.c:158
__rcu_reclaim kernel/rcu/rcu.h:236 [inline]
rcu_do_batch kernel/rcu/tree.c:2584 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:2897 [inline]
__rcu_process_callbacks kernel/rcu/tree.c:2864
[inline]
rcu_process_callbacks+0xba0/0x1a30
kernel/rcu/tree.c:2881
__do_softirq+0x25c/0x921 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:372 [inline]
irq_exit+0x180/0x1d0 kernel/softirq.c:412
erofs: cannot find valid erofs superblock
exiting_irq arch/x86/include/asm/apic.h:536 [inline]
smp_apic_timer_interrupt+0x13b/0x550
arch/x86/kernel/apic/apic.c:1056
apic_timer_interrupt+0xf/0x20
arch/x86/entry/entry_64.S:869
INITIAL USE at:
lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3900
__raw_spin_lock_irq
include/linux/spinlock_api_smp.h:128 [inline]
_raw_spin_lock_irq+0x60/0x80
kernel/locking/spinlock.c:160
spin_lock_irq include/linux/spinlock.h:354 [inline]
free_ioctx_users+0x2d/0x490 fs/aio.c:614
percpu_ref_put_many
include/linux/percpu-refcount.h:284 [inline]
percpu_ref_put include/linux/percpu-refcount.h:300
[inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:123
[inline]
percpu_ref_switch_to_atomic_rcu+0x407/0x540
lib/percpu-refcount.c:158
__rcu_reclaim kernel/rcu/rcu.h:236 [inline]
rcu_do_batch kernel/rcu/tree.c:2584 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:2897 [inline]
__rcu_process_callbacks kernel/rcu/tree.c:2864 [inline]
rcu_process_callbacks+0xba0/0x1a30
kernel/rcu/tree.c:2881
__do_softirq+0x25c/0x921 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:372 [inline]
irq_exit+0x180/0x1d0 kernel/softirq.c:412
exiting_irq arch/x86/include/asm/apic.h:536 [inline]
smp_apic_timer_interrupt+0x13b/0x550
arch/x86/kernel/apic/apic.c:1056
kobject: 'kvm' (0000000018211d98): kobject_uevent_env
apic_timer_interrupt+0xf/0x20
arch/x86/entry/entry_64.S:869
}
... key at: [<ffffffff8a3813a0>] __key.50187+0x0/0x40
... acquired at:
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:329 [inline]
aio_poll fs/aio.c:1741 [inline]
__io_submit_one fs/aio.c:1849 [inline]
io_submit_one+0xef2/0x2eb0 fs/aio.c:1885
__do_sys_io_submit fs/aio.c:1929 [inline]
__se_sys_io_submit fs/aio.c:1900 [inline]
__x64_sys_io_submit+0x1aa/0x520 fs/aio.c:1900
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
-> (&ctx->fd_wqh){....} ops: 89 {
INITIAL USE at:
lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3900
__raw_spin_lock_irqsave
include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x95/0xcd
kernel/locking/spinlock.c:152
__wake_up_common_lock+0xc7/0x190 kernel/sched/wait.c:120
__wake_up+0xe/0x10 kernel/sched/wait.c:145
userfaultfd_release+0x534/0x720 fs/userfaultfd.c:930
__fput+0x2dd/0x8b0 fs/file_table.c:278
____fput+0x16/0x20 fs/file_table.c:309
task_work_run+0x145/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193
[inline]
exit_to_usermode_loop+0x273/0x2c0
arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198
[inline]
syscall_return_slowpath arch/x86/entry/common.c:271
[inline]
do_syscall_64+0x53d/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
}
... key at: [<ffffffff8a381120>] __key.43724+0x0/0x40
... acquired at:
lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3900
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:329 [inline]
userfaultfd_ctx_read fs/userfaultfd.c:1046 [inline]
userfaultfd_read+0x394/0x18c0 fs/userfaultfd.c:1204
__vfs_read+0x114/0x800 fs/read_write.c:416
vfs_read+0x194/0x3d0 fs/read_write.c:452
ksys_read+0x14f/0x2d0 fs/read_write.c:579
__do_sys_read fs/read_write.c:589 [inline]
__se_sys_read fs/read_write.c:587 [inline]
__x64_sys_read+0x73/0xb0 fs/read_write.c:587
kobject: 'kvm' (0000000018211d98): fill_kobj_path: path
= '/devices/virtual/misc/kvm'
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
the dependencies between the lock to be acquired
and SOFTIRQ-irq-unsafe lock:
-> (&ctx->fault_pending_wqh){+.+.} ops: 81 {
HARDIRQ-ON-W at:
lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3900
__raw_spin_lock include/linux/spinlock_api_smp.h:142
[inline]
_raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:329 [inline]
userfaultfd_release+0x4d6/0x720 fs/userfaultfd.c:922
__fput+0x2dd/0x8b0 fs/file_table.c:278
____fput+0x16/0x20 fs/file_table.c:309
task_work_run+0x145/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193
[inline]
exit_to_usermode_loop+0x273/0x2c0
arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198
[inline]
syscall_return_slowpath arch/x86/entry/common.c:271
[inline]
do_syscall_64+0x53d/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
SOFTIRQ-ON-W at:
lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3900
__raw_spin_lock include/linux/spinlock_api_smp.h:142
[inline]
_raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:329 [inline]
userfaultfd_release+0x4d6/0x720 fs/userfaultfd.c:922
__fput+0x2dd/0x8b0 fs/file_table.c:278
____fput+0x16/0x20 fs/file_table.c:309
task_work_run+0x145/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193
[inline]
exit_to_usermode_loop+0x273/0x2c0
arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198
[inline]
syscall_return_slowpath arch/x86/entry/common.c:271
[inline]
do_syscall_64+0x53d/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
INITIAL USE at:
lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3900
__raw_spin_lock include/linux/spinlock_api_smp.h:142
[inline]
_raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:329 [inline]
userfaultfd_release+0x4d6/0x720 fs/userfaultfd.c:922
__fput+0x2dd/0x8b0 fs/file_table.c:278
____fput+0x16/0x20 fs/file_table.c:309
task_work_run+0x145/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193
[inline]
exit_to_usermode_loop+0x273/0x2c0
arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198
[inline]
syscall_return_slowpath arch/x86/entry/common.c:271
[inline]
do_syscall_64+0x53d/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
}
... key at: [<ffffffff8a3811e0>] __key.43721+0x0/0x40
... acquired at:
lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3900
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:329 [inline]
userfaultfd_ctx_read fs/userfaultfd.c:1046 [inline]
userfaultfd_read+0x394/0x18c0 fs/userfaultfd.c:1204
__vfs_read+0x114/0x800 fs/read_write.c:416
vfs_read+0x194/0x3d0 fs/read_write.c:452
ksys_read+0x14f/0x2d0 fs/read_write.c:579
__do_sys_read fs/read_write.c:589 [inline]
__se_sys_read fs/read_write.c:587 [inline]
__x64_sys_read+0x73/0xb0 fs/read_write.c:587
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
stack backtrace:
CPU: 1 PID: 24643 Comm: syz-executor.4 Not tainted 4.19.48 #20
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
print_bad_irq_dependency kernel/locking/lockdep.c:1568 [inline]
check_usage.cold+0x611/0x946 kernel/locking/lockdep.c:1600
check_irq_usage kernel/locking/lockdep.c:1656 [inline]
check_prev_add_irq kernel/locking/lockdep_states.h:8 [inline]
check_prev_add kernel/locking/lockdep.c:1866 [inline]
check_prevs_add kernel/locking/lockdep.c:1974 [inline]
validate_chain kernel/locking/lockdep.c:2415 [inline]
__lock_acquire+0x1ee4/0x48f0 kernel/locking/lockdep.c:3411
lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3900
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:329 [inline]
userfaultfd_ctx_read fs/userfaultfd.c:1046 [inline]
userfaultfd_read+0x394/0x18c0 fs/userfaultfd.c:1204
__vfs_read+0x114/0x800 fs/read_write.c:416
vfs_read+0x194/0x3d0 fs/read_write.c:452
ksys_read+0x14f/0x2d0 fs/read_write.c:579
__do_sys_read fs/read_write.c:589 [inline]
__se_sys_read fs/read_write.c:587 [inline]
__x64_sys_read+0x73/0xb0 fs/read_write.c:587
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x459279
Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f212ef1cc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459279
RDX: 0000000000000043 RSI: 0000000020000240 RDI: 0000000000000003
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f212ef1d6d4
R13: 00000000004c5109 R14: 00000000004dabe8 R15: 00000000ffffffff
kobject: 'kvm' (0000000018211d98): kobject_uevent_env
kobject: 'kvm' (0000000018211d98): fill_kobj_path: path
= '/devices/virtual/misc/kvm'
kobject: 'loop2' (0000000027a93f38): kobject_uevent_env
kobject: 'loop2' (0000000027a93f38): fill_kobj_path: path
= '/devices/virtual/block/loop2'
kobject: 'loop0' (00000000915ad2b4): kobject_uevent_env
kobject: 'loop0' (00000000915ad2b4): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kauditd_printk_skb: 138 callbacks suppressed
audit: type=1400 audit(1559788745.063:1266): avc: denied { map } for
pid=24794 comm="blkid" path="/etc/ld.so.cache" dev="sda1" ino=2251
scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=file permissive=1
kobject: 'loop3' (00000000c75e4c9c): kobject_uevent_env
kobject: 'loop3' (00000000c75e4c9c): fill_kobj_path: path
= '/devices/virtual/block/loop3'
audit: type=1400 audit(1559788745.073:1267): avc: denied { map } for
pid=24794 comm="blkid" path="/lib/x86_64-linux-gnu/libblkid.so.1.1.0"
dev="sda1" ino=2825 scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
kobject: 'loop4' (00000000da53a6db): kobject_uevent_env
audit: type=1400 audit(1559788745.073:1268): avc: denied { map } for
pid=24794 comm="blkid" path="/lib/x86_64-linux-gnu/libblkid.so.1.1.0"
dev="sda1" ino=2825 scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
kobject: 'loop4' (00000000da53a6db): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop5' (000000004fa331d5): kobject_uevent_env
audit: type=1400 audit(1559788745.113:1269): avc: denied { map } for
pid=24794 comm="blkid" path="/lib/x86_64-linux-gnu/libc-2.13.so" dev="sda1"
ino=2784 scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
kobject: 'loop5' (000000004fa331d5): fill_kobj_path: path
= '/devices/virtual/block/loop5'
audit: type=1400 audit(1559788745.123:1270): avc: denied { map } for
pid=24794 comm="blkid" path="/lib/x86_64-linux-gnu/libc-2.13.so" dev="sda1"
ino=2784 scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
kobject: 'loop1' (00000000bb121abb): kobject_uevent_env
kobject: 'loop1' (00000000bb121abb): fill_kobj_path: path
= '/devices/virtual/block/loop1'
audit: type=1400 audit(1559788745.153:1271): avc: denied { map } for
pid=24794 comm="blkid" path="/lib/x86_64-linux-gnu/libuuid.so.1.3.0"
dev="sda1" ino=2819 scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
audit: audit_backlog=65 > audit_backlog_limit=64
audit: type=1400 audit(1559788745.153:1272): avc: denied { map } for
pid=24794 comm="blkid" path="/lib/x86_64-linux-gnu/libuuid.so.1.3.0"
dev="sda1" ino=2819 scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
audit: audit_lost=23 audit_rate_limit=0 audit_backlog_limit=64
audit: backlog limit exceeded
kobject: 'loop3' (00000000c75e4c9c): kobject_uevent_env
kobject: 'loop3' (00000000c75e4c9c): fill_kobj_path: path
= '/devices/virtual/block/loop3'
kobject: 'loop0' (00000000915ad2b4): kobject_uevent_env
kobject: 'loop0' (00000000915ad2b4): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop1' (00000000bb121abb): kobject_uevent_env
kobject: 'loop1' (00000000bb121abb): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop5' (000000004fa331d5): kobject_uevent_env
kobject: 'loop5' (000000004fa331d5): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop4' (00000000da53a6db): kobject_uevent_env
kobject: 'loop4' (00000000da53a6db): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop3' (00000000c75e4c9c): kobject_uevent_env
kobject: 'loop3' (00000000c75e4c9c): fill_kobj_path: path
= '/devices/virtual/block/loop3'
kobject: 'loop0' (00000000915ad2b4): kobject_uevent_env
kobject: 'loop0' (00000000915ad2b4): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop2' (0000000027a93f38): kobject_uevent_env
kobject: 'loop2' (0000000027a93f38): fill_kobj_path: path
= '/devices/virtual/block/loop2'
kobject: 'loop5' (000000004fa331d5): kobject_uevent_env
kobject: 'loop5' (000000004fa331d5): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop3' (00000000c75e4c9c): kobject_uevent_env
kobject: 'loop3' (00000000c75e4c9c): fill_kobj_path: path
= '/devices/virtual/block/loop3'
kobject: 'loop1' (00000000bb121abb): kobject_uevent_env
kobject: 'loop1' (00000000bb121abb): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop2' (0000000027a93f38): kobject_uevent_env
kobject: 'loop2' (0000000027a93f38): fill_kobj_path: path
= '/devices/virtual/block/loop2'
kobject: 'loop4' (00000000da53a6db): kobject_uevent_env
kobject: 'loop4' (00000000da53a6db): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop5' (000000004fa331d5): kobject_uevent_env
kobject: 'loop5' (000000004fa331d5): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop0' (00000000915ad2b4): kobject_uevent_env
kobject: 'loop0' (00000000915ad2b4): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop3' (00000000c75e4c9c): kobject_uevent_env
kobject: 'loop3' (00000000c75e4c9c): fill_kobj_path: path
= '/devices/virtual/block/loop3'
kobject: 'loop1' (00000000bb121abb): kobject_uevent_env
kobject: 'loop1' (00000000bb121abb): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop4' (00000000da53a6db): kobject_uevent_env
kobject: 'loop4' (00000000da53a6db): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop5' (000000004fa331d5): kobject_uevent_env
kobject: 'loop5' (000000004fa331d5): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop3' (00000000c75e4c9c): kobject_uevent_env
kobject: 'loop3' (00000000c75e4c9c): fill_kobj_path: path
= '/devices/virtual/block/loop3'
kobject: 'loop0' (00000000915ad2b4): kobject_uevent_env
kobject: 'loop0' (00000000915ad2b4): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop5' (000000004fa331d5): kobject_uevent_env
kauditd_printk_skb: 359 callbacks suppressed
audit: type=1400 audit(1559788750.101:1623): avc: denied { map } for
pid=25513 comm="blkid" path="/lib/x86_64-linux-gnu/libc-2.13.so" dev="sda1"
ino=2784 scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
kobject: 'loop5' (000000004fa331d5): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop3' (00000000c75e4c9c): kobject_uevent_env
kobject: 'loop3' (00000000c75e4c9c): fill_kobj_path: path
= '/devices/virtual/block/loop3'
audit: type=1400 audit(1559788750.131:1624): avc: denied { map } for
pid=25513 comm="blkid" path="/lib/x86_64-linux-gnu/libc-2.13.so" dev="sda1"
ino=2784 scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
kobject: 'loop1' (00000000bb121abb): kobject_uevent_env
kobject: 'loop1' (00000000bb121abb): fill_kobj_path: path
= '/devices/virtual/block/loop1'
audit: type=1400 audit(1559788750.171:1625): avc: denied { map } for
pid=25513 comm="blkid" path="/lib/x86_64-linux-gnu/libuuid.so.1.3.0"
dev="sda1" ino=2819 scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
kobject: 'loop4' (00000000da53a6db): kobject_uevent_env
audit: type=1400 audit(1559788750.171:1626): avc: denied { map } for
pid=25513 comm="blkid" path="/lib/x86_64-linux-gnu/libuuid.so.1.3.0"
dev="sda1" ino=2819 scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
kobject: 'loop4' (00000000da53a6db): fill_kobj_path: path
= '/devices/virtual/block/loop4'
audit: type=1400 audit(1559788750.261:1627): avc: denied { map } for
pid=25519 comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128
scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=file permissive=1
kobject: 'loop5' (000000004fa331d5): kobject_uevent_env
kobject: 'loop5' (000000004fa331d5): fill_kobj_path: path
= '/devices/virtual/block/loop5'
audit: type=1400 audit(1559788750.281:1628): avc: denied { map } for
pid=25519 comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128
scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=file permissive=1
kobject: 'loop3' (00000000c75e4c9c): kobject_uevent_env
kobject: 'loop3' (00000000c75e4c9c): fill_kobj_path: path
= '/devices/virtual/block/loop3'
audit: type=1400 audit(1559788750.321:1629): avc: denied { map } for
pid=25519 comm="blkid" path="/lib/x86_64-linux-gnu/ld-2.13.so" dev="sda1"
ino=2668 scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
kobject: 'loop0' (00000000915ad2b4): kobject_uevent_env
audit: audit_backlog=65 > audit_backlog_limit=64
kobject: 'loop0' (00000000915ad2b4): fill_kobj_path: path
= '/devices/virtual/block/loop0'
audit: type=1400 audit(1559788750.331:1630): avc: denied { map } for
pid=25519 comm="blkid" path="/lib/x86_64-linux-gnu/ld-2.13.so" dev="sda1"
ino=2668 scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
audit: audit_lost=27 audit_rate_limit=0 audit_backlog_limit=64
kobject: 'loop1' (00000000bb121abb): kobject_uevent_env
kobject: 'loop1' (00000000bb121abb): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop4' (00000000da53a6db): kobject_uevent_env
kobject: 'loop4' (00000000da53a6db): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop3' (00000000c75e4c9c): kobject_uevent_env
kobject: 'loop3' (00000000c75e4c9c): fill_kobj_path: path
= '/devices/virtual/block/loop3'
kobject: 'loop0' (00000000915ad2b4): kobject_uevent_env
kobject: 'loop0' (00000000915ad2b4): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop5' (000000004fa331d5): kobject_uevent_env
kobject: 'loop5' (000000004fa331d5): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop2' (0000000027a93f38): kobject_uevent_env
kobject: 'loop2' (0000000027a93f38): fill_kobj_path: path
= '/devices/virtual/block/loop2'
kobject: 'loop1' (00000000bb121abb): kobject_uevent_env
kobject: 'loop1' (00000000bb121abb): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop0' (00000000915ad2b4): kobject_uevent_env
kobject: 'loop0' (00000000915ad2b4): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop3' (00000000c75e4c9c): kobject_uevent_env
kobject: 'loop3' (00000000c75e4c9c): fill_kobj_path: path
= '/devices/virtual/block/loop3'
kobject: 'loop4' (00000000da53a6db): kobject_uevent_env
kobject: 'loop4' (00000000da53a6db): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop5' (000000004fa331d5): kobject_uevent_env
kobject: 'loop5' (000000004fa331d5): fill_kobj_path: path
= '/devices/virtual/block/loop5'
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Nov 2, 2019, 2:47:05 PM11/2/19
to syzkaller...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages