[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 63.397744][ T26] audit: type=1800 audit(1561463728.360:25): pid=8605 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 63.438719][ T26] audit: type=1800 audit(1561463728.370:26): pid=8605 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 63.468747][ T26] audit: type=1800 audit(1561463728.370:27): pid=8605 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.152' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 74.410306][ T8760] [ 74.412666][ T8760] ======================================================== [ 74.419950][ T8760] WARNING: possible irq lock inversion dependency detected [ 74.427116][ T8760] 5.2.0-rc6-next-20190624 #21 Not tainted [ 74.432804][ T8760] -------------------------------------------------------- [ 74.439967][ T8760] syz-executor100/8760 just changed the state of lock: [ 74.446804][ T8760] 00000000851da6e3 (&ctx->fault_pending_wqh){+.+.}, at: userfaultfd_release+0x4ca/0x710 [ 74.456558][ T8760] but this lock was taken by another, SOFTIRQ-safe lock in the past: [ 74.464611][ T8760] (&(&ctx->ctx_lock)->rlock){..-.} [ 74.464617][ T8760] [ 74.464617][ T8760] [ 74.464617][ T8760] and interrupts could create inverse lock ordering between them. [ 74.464617][ T8760] [ 74.484062][ T8760] [ 74.484062][ T8760] other info that might help us debug this: [ 74.492095][ T8760] Chain exists of: [ 74.492095][ T8760] &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh [ 74.492095][ T8760] [ 74.506299][ T8760] Possible interrupt unsafe locking scenario: [ 74.506299][ T8760] [ 74.514613][ T8760] CPU0 CPU1 [ 74.519957][ T8760] ---- ---- [ 74.525307][ T8760] lock(&ctx->fault_pending_wqh); [ 74.530411][ T8760] local_irq_disable(); [ 74.537158][ T8760] lock(&(&ctx->ctx_lock)->rlock); [ 74.544861][ T8760] lock(&ctx->fd_wqh); [ 74.551939][ T8760] [ 74.555373][ T8760] lock(&(&ctx->ctx_lock)->rlock); [ 74.560761][ T8760] [ 74.560761][ T8760] *** DEADLOCK *** [ 74.560761][ T8760] [ 74.568897][ T8760] no locks held by syz-executor100/8760. [ 74.574521][ T8760] [ 74.574521][ T8760] the shortest dependencies between 2nd lock and 1st lock: [ 74.583885][ T8760] -> (&(&ctx->ctx_lock)->rlock){..-.} { [ 74.589586][ T8760] IN-SOFTIRQ-W at: [ 74.593729][ T8760] lock_acquire+0x190/0x410 [ 74.600203][ T8760] _raw_spin_lock_irq+0x60/0x80 [ 74.607025][ T8760] free_ioctx_users+0x2d/0x490 [ 74.613769][ T8760] percpu_ref_switch_to_atomic_rcu+0x4c0/0x570 [ 74.621895][ T8760] rcu_core+0xa3a/0x15a0 [ 74.628128][ T8760] __do_softirq+0x262/0x98c [ 74.634634][ T8760] irq_exit+0x19b/0x1e0 [ 74.640849][ T8760] smp_apic_timer_interrupt+0x1a3/0x610 [ 74.648373][ T8760] apic_timer_interrupt+0xf/0x20 [ 74.655278][ T8760] native_safe_halt+0xe/0x10 [ 74.661836][ T8760] arch_cpu_idle+0xa/0x10 [ 74.668132][ T8760] default_idle_call+0x84/0xb0 [ 74.674887][ T8760] do_idle+0x413/0x760 [ 74.680935][ T8760] cpu_startup_entry+0x1b/0x20 [ 74.687671][ T8760] rest_init+0x245/0x37b [ 74.693904][ T8760] arch_call_rest_init+0xe/0x1b [ 74.700739][ T8760] start_kernel+0x8de/0x91d [ 74.707216][ T8760] x86_64_start_reservations+0x29/0x2b [ 74.714674][ T8760] x86_64_start_kernel+0x77/0x7b [ 74.721592][ T8760] secondary_startup_64+0xa4/0xb0 [ 74.728671][ T8760] INITIAL USE at: [ 74.732766][ T8760] lock_acquire+0x190/0x410 [ 74.739264][ T8760] _raw_spin_lock_irq+0x60/0x80 [ 74.746002][ T8760] io_submit_one+0xeb5/0x2ef0 [ 74.752567][ T8760] __x64_sys_io_submit+0x1bd/0x570 [ 74.759933][ T8760] do_syscall_64+0xfd/0x6a0 [ 74.766326][ T8760] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 74.774116][ T8760] } [ 74.776976][ T8760] ... key at: [] __key.53688+0x0/0x40 [ 74.784576][ T8760] ... acquired at: [ 74.788538][ T8760] _raw_spin_lock+0x2f/0x40 [ 74.793365][ T8760] io_submit_one+0xefa/0x2ef0 [ 74.798192][ T8760] __x64_sys_io_submit+0x1bd/0x570 [ 74.803468][ T8760] do_syscall_64+0xfd/0x6a0 [ 74.808119][ T8760] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 74.814177][ T8760] [ 74.816484][ T8760] -> (&ctx->fd_wqh){....} { [ 74.821050][ T8760] INITIAL USE at: [ 74.825016][ T8760] lock_acquire+0x190/0x410 [ 74.831329][ T8760] _raw_spin_lock_irq+0x60/0x80 [ 74.837896][ T8760] userfaultfd_read+0x27a/0x1950 [ 74.844545][ T8760] do_iter_read+0x4a4/0x660 [ 74.850758][ T8760] vfs_readv+0xf0/0x160 [ 74.856627][ T8760] do_readv+0x15b/0x330 [ 74.862498][ T8760] __x64_sys_readv+0x75/0xb0 [ 74.868804][ T8760] do_syscall_64+0xfd/0x6a0 [ 74.875035][ T8760] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 74.882639][ T8760] } [ 74.885216][ T8760] ... key at: [] __key.46406+0x0/0x40 [ 74.892726][ T8760] ... acquired at: [ 74.896605][ T8760] _raw_spin_lock+0x2f/0x40 [ 74.901265][ T8760] userfaultfd_read+0x54d/0x1950 [ 74.906349][ T8760] do_iter_read+0x4a4/0x660 [ 74.911086][ T8760] vfs_readv+0xf0/0x160 [ 74.915408][ T8760] do_readv+0x15b/0x330 [ 74.919719][ T8760] __x64_sys_readv+0x75/0xb0 [ 74.924455][ T8760] do_syscall_64+0xfd/0x6a0 [ 74.929104][ T8760] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 74.935134][ T8760] [ 74.937431][ T8760] -> (&ctx->fault_pending_wqh){+.+.} { [ 74.942861][ T8760] HARDIRQ-ON-W at: [ 74.946835][ T8760] lock_acquire+0x190/0x410 [ 74.952991][ T8760] _raw_spin_lock+0x2f/0x40 [ 74.959221][ T8760] userfaultfd_release+0x4ca/0x710 [ 74.965974][ T8760] __fput+0x2ff/0x890 [ 74.971593][ T8760] ____fput+0x16/0x20 [ 74.977208][ T8760] task_work_run+0x145/0x1c0 [ 74.983426][ T8760] do_exit+0x904/0x2eb0 [ 74.989292][ T8760] do_group_exit+0x135/0x360 [ 74.995504][ T8760] get_signal+0x47c/0x2500 [ 75.001546][ T8760] do_signal+0x87/0x1700 [ 75.007618][ T8760] exit_to_usermode_loop+0x251/0x2d0 [ 75.014540][ T8760] do_syscall_64+0x5a9/0x6a0 [ 75.020766][ T8760] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 75.028285][ T8760] SOFTIRQ-ON-W at: [ 75.032253][ T8760] lock_acquire+0x190/0x410 [ 75.038394][ T8760] _raw_spin_lock+0x2f/0x40 [ 75.044526][ T8760] userfaultfd_release+0x4ca/0x710 [ 75.051278][ T8760] __fput+0x2ff/0x890 [ 75.057088][ T8760] ____fput+0x16/0x20 [ 75.062719][ T8760] task_work_run+0x145/0x1c0 [ 75.073958][ T8760] do_exit+0x904/0x2eb0 [ 75.079763][ T8760] do_group_exit+0x135/0x360 [ 75.086002][ T8760] get_signal+0x47c/0x2500 [ 75.092051][ T8760] do_signal+0x87/0x1700 [ 75.097925][ T8760] exit_to_usermode_loop+0x251/0x2d0 [ 75.104837][ T8760] do_syscall_64+0x5a9/0x6a0 [ 75.111057][ T8760] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 75.118593][ T8760] INITIAL USE at: [ 75.122487][ T8760] lock_acquire+0x190/0x410 [ 75.128532][ T8760] _raw_spin_lock+0x2f/0x40 [ 75.134600][ T8760] userfaultfd_read+0x54d/0x1950 [ 75.141095][ T8760] do_iter_read+0x4a4/0x660 [ 75.147140][ T8760] vfs_readv+0xf0/0x160 [ 75.152835][ T8760] do_readv+0x15b/0x330 [ 75.158531][ T8760] __x64_sys_readv+0x75/0xb0 [ 75.164658][ T8760] do_syscall_64+0xfd/0x6a0 [ 75.170716][ T8760] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 75.178152][ T8760] } [ 75.180662][ T8760] ... key at: [] __key.46403+0x0/0x40 [ 75.188122][ T8760] ... acquired at: [ 75.191930][ T8760] mark_lock+0x4fa/0x11e0 [ 75.196429][ T8760] __lock_acquire+0x13f7/0x4680 [ 75.201428][ T8760] lock_acquire+0x190/0x410 [ 75.206077][ T8760] _raw_spin_lock+0x2f/0x40 [ 75.210728][ T8760] userfaultfd_release+0x4ca/0x710 [ 75.215985][ T8760] __fput+0x2ff/0x890 [ 75.220112][ T8760] ____fput+0x16/0x20 [ 75.224242][ T8760] task_work_run+0x145/0x1c0 [ 75.228980][ T8760] do_exit+0x904/0x2eb0 [ 75.233727][ T8760] do_group_exit+0x135/0x360 [ 75.238545][ T8760] get_signal+0x47c/0x2500 [ 75.243115][ T8760] do_signal+0x87/0x1700 [ 75.247506][ T8760] exit_to_usermode_loop+0x251/0x2d0 [ 75.252971][ T8760] do_syscall_64+0x5a9/0x6a0 [ 75.257729][ T8760] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 75.263765][ T8760] [ 75.266080][ T8760] [ 75.266080][ T8760] stack backtrace: [ 75.271951][ T8760] CPU: 0 PID: 8760 Comm: syz-executor100 Not tainted 5.2.0-rc6-next-20190624 #21 [ 75.281135][ T8760] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 75.291176][ T8760] Call Trace: [ 75.294456][ T8760] dump_stack+0x172/0x1f0 [ 75.298777][ T8760] print_irq_inversion_bug.part.0+0x2c5/0x2d2 [ 75.304910][ T8760] check_usage_backwards.cold+0x1d/0x26 [ 75.310448][ T8760] ? print_shortest_lock_dependencies+0x90/0x90 [ 75.316674][ T8760] ? stack_trace_save+0xac/0xe0 [ 75.321505][ T8760] ? stack_trace_consume_entry+0x190/0x190 [ 75.327287][ T8760] ? __lockdep_reset_lock+0x450/0x450 [ 75.332636][ T8760] mark_lock+0x4fa/0x11e0 [ 75.336961][ T8760] ? print_shortest_lock_dependencies+0x90/0x90 [ 75.343179][ T8760] __lock_acquire+0x13f7/0x4680 [ 75.348008][ T8760] ? trace_hardirqs_off+0x62/0x240 [ 75.353102][ T8760] ? kasan_check_read+0x11/0x20 [ 75.357930][ T8760] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 75.363715][ T8760] ? mark_held_locks+0xf0/0xf0 [ 75.368473][ T8760] ? kasan_check_read+0x11/0x20 [ 75.373320][ T8760] lock_acquire+0x190/0x410 [ 75.377803][ T8760] ? userfaultfd_release+0x4ca/0x710 [ 75.383064][ T8760] _raw_spin_lock+0x2f/0x40 [ 75.387561][ T8760] ? userfaultfd_release+0x4ca/0x710 [ 75.392839][ T8760] userfaultfd_release+0x4ca/0x710 [ 75.397933][ T8760] ? userfaultfd_event_wait_completion+0xa70/0xa70 [ 75.404417][ T8760] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 75.410643][ T8760] ? ima_file_free+0xc9/0x430 [ 75.415318][ T8760] __fput+0x2ff/0x890 [ 75.419291][ T8760] ? userfaultfd_event_wait_completion+0xa70/0xa70 [ 75.425780][ T8760] ____fput+0x16/0x20 [ 75.429750][ T8760] task_work_run+0x145/0x1c0 [ 75.434338][ T8760] do_exit+0x904/0x2eb0 [ 75.438479][ T8760] ? mm_update_next_owner+0x640/0x640 [ 75.443849][ T8760] ? lock_downgrade+0x920/0x920 [ 75.448794][ T8760] ? _raw_spin_unlock_irq+0x28/0x90 [ 75.453994][ T8760] ? get_signal+0x392/0x2500 [ 75.458562][ T8760] ? _raw_spin_unlock_irq+0x28/0x90 [ 75.463738][ T8760] do_group_exit+0x135/0x360 [ 75.468307][ T8760] get_signal+0x47c/0x2500 [ 75.472710][ T8760] ? __x64_sys_io_submit+0x31f/0x570 [ 75.478130][ T8760] ? find_held_lock+0x35/0x130 [ 75.482875][ T8760] ? __x64_sys_io_submit+0x31f/0x570 [ 75.488156][ T8760] do_signal+0x87/0x1700 [ 75.492405][ T8760] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 75.498625][ T8760] ? kasan_check_read+0x11/0x20 [ 75.503455][ T8760] ? setup_sigcontext+0x7d0/0x7d0 [ 75.508463][ T8760] ? exit_to_usermode_loop+0x43/0x2d0 [ 75.513814][ T8760] ? do_syscall_64+0x5a9/0x6a0 [ 75.518564][ T8760] ? exit_to_usermode_loop+0x43/0x2d0 [ 75.524066][ T8760] ? lockdep_hardirqs_on+0x418/0x5d0 [ 75.529328][ T8760] ? trace_hardirqs_on+0x67/0x240 [ 75.534328][ T8760] exit_to_usermode_loop+0x251/0x2d0 [ 75.539749][ T8760] do_syscall_64+0x5a9/0x6a0 [ 75.544430][ T8760] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 75.550307][ T8760] RIP: 0033:0x445919 [ 75.554187][ T8760] Code: Bad RIP value. [ 75.558229][ T8760] RSP: 002b:00007fa2cf973db8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 75.566616][ T8760] RAX: fffffffffffffe00 RB