[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] startpar: service(s) returned failure: ssh ...[?25l[?1c7[FAIL8[?25h[?0c failed! Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 53.291073][ T26] kauditd_printk_skb: 4 callbacks suppressed [ 53.291090][ T26] audit: type=1400 audit(1553808334.394:35): avc: denied { map } for pid=8173 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.10.40' (ECDSA) to the list of known hosts. executing program [ 60.024300][ T26] audit: type=1400 audit(1553808341.134:36): avc: denied { map } for pid=8185 comm="syz-executor676" path="/root/syz-executor676323522" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 60.284750][ T8187] [ 60.287098][ T8187] ======================================================== [ 60.294305][ T8187] WARNING: possible irq lock inversion dependency detected [ 60.301488][ T8187] 5.1.0-rc2+ #40 Not tainted [ 60.306050][ T8187] -------------------------------------------------------- [ 60.313227][ T8187] syz-executor676/8187 just changed the state of lock: [ 60.320071][ T8187] 000000001222084a (&ctx->fault_pending_wqh){+.+.}, at: userfaultfd_release+0x48e/0x6d0 [ 60.329805][ T8187] but this lock was taken by another, SOFTIRQ-safe lock in the past: [ 60.337848][ T8187] (&(&ctx->ctx_lock)->rlock){..-.} [ 60.337857][ T8187] [ 60.337857][ T8187] [ 60.337857][ T8187] and interrupts could create inverse lock ordering between them. [ 60.337857][ T8187] [ 60.357316][ T8187] [ 60.357316][ T8187] other info that might help us debug this: [ 60.365361][ T8187] Chain exists of: [ 60.365361][ T8187] &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh [ 60.365361][ T8187] [ 60.379599][ T8187] Possible interrupt unsafe locking scenario: [ 60.379599][ T8187] [ 60.387988][ T8187] CPU0 CPU1 [ 60.393358][ T8187] ---- ---- [ 60.398709][ T8187] lock(&ctx->fault_pending_wqh); [ 60.403801][ T8187] local_irq_disable(); [ 60.410545][ T8187] lock(&(&ctx->ctx_lock)->rlock); [ 60.418241][ T8187] lock(&ctx->fd_wqh); [ 60.424899][ T8187] [ 60.428333][ T8187] lock(&(&ctx->ctx_lock)->rlock); [ 60.433704][ T8187] [ 60.433704][ T8187] *** DEADLOCK *** [ 60.433704][ T8187] [ 60.441841][ T8187] no locks held by syz-executor676/8187. [ 60.447472][ T8187] [ 60.447472][ T8187] the shortest dependencies between 2nd lock and 1st lock: [ 60.456829][ T8187] -> (&(&ctx->ctx_lock)->rlock){..-.} { [ 60.462559][ T8187] IN-SOFTIRQ-W at: [ 60.466727][ T8187] lock_acquire+0x16f/0x3f0 [ 60.473213][ T8187] _raw_spin_lock_irq+0x60/0x80 [ 60.480087][ T8187] free_ioctx_users+0x2d/0x4a0 [ 60.486842][ T8187] percpu_ref_switch_to_atomic_rcu+0x3e7/0x520 [ 60.494982][ T8187] rcu_core+0x928/0x1390 [ 60.501226][ T8187] __do_softirq+0x266/0x95a [ 60.507731][ T8187] irq_exit+0x180/0x1d0 [ 60.513870][ T8187] smp_apic_timer_interrupt+0x14a/0x570 [ 60.521399][ T8187] apic_timer_interrupt+0xf/0x20 [ 60.528319][ T8187] native_safe_halt+0x2/0x10 [ 60.535109][ T8187] arch_cpu_idle+0x10/0x20 [ 60.541517][ T8187] default_idle_call+0x36/0x90 [ 60.548266][ T8187] do_idle+0x386/0x570 [ 60.554360][ T8187] cpu_startup_entry+0x1b/0x20 [ 60.561129][ T8187] rest_init+0x245/0x37b [ 60.567899][ T8187] arch_call_rest_init+0xe/0x1b [ 60.574734][ T8187] start_kernel+0x816/0x84f [ 60.581240][ T8187] x86_64_start_reservations+0x29/0x2b [ 60.588684][ T8187] x86_64_start_kernel+0x77/0x7b [ 60.595619][ T8187] secondary_startup_64+0xa4/0xb0 [ 60.602619][ T8187] INITIAL USE at: [ 60.606739][ T8187] lock_acquire+0x16f/0x3f0 [ 60.613138][ T8187] _raw_spin_lock_irq+0x60/0x80 [ 60.619905][ T8187] io_submit_one+0xe0c/0x1cf0 [ 60.626481][ T8187] __x64_sys_io_submit+0x1bd/0x580 [ 60.633491][ T8187] do_syscall_64+0x103/0x610 [ 60.639986][ T8187] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.647787][ T8187] } [ 60.650456][ T8187] ... key at: [] __key.52644+0x0/0x40 [ 60.658057][ T8187] ... acquired at: [ 60.662042][ T8187] lock_acquire+0x16f/0x3f0 [ 60.666718][ T8187] _raw_spin_lock+0x2f/0x40 [ 60.671383][ T8187] io_submit_one+0xe35/0x1cf0 [ 60.676484][ T8187] __x64_sys_io_submit+0x1bd/0x580 [ 60.681758][ T8187] do_syscall_64+0x103/0x610 [ 60.686512][ T8187] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.692582][ T8187] [ 60.694896][ T8187] -> (&ctx->fd_wqh){....} { [ 60.699464][ T8187] INITIAL USE at: [ 60.703427][ T8187] lock_acquire+0x16f/0x3f0 [ 60.709649][ T8187] _raw_spin_lock_irq+0x60/0x80 [ 60.716222][ T8187] userfaultfd_read+0x27a/0x1940 [ 60.722882][ T8187] do_iter_read+0x4a9/0x660 [ 60.729112][ T8187] vfs_readv+0xf0/0x160 [ 60.734992][ T8187] do_readv+0xf6/0x290 [ 60.740786][ T8187] __x64_sys_readv+0x75/0xb0 [ 60.747331][ T8187] do_syscall_64+0x103/0x610 [ 60.753673][ T8187] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.761278][ T8187] } [ 60.763861][ T8187] ... key at: [] __key.45453+0x0/0x40 [ 60.771381][ T8187] ... acquired at: [ 60.775265][ T8187] lock_acquire+0x16f/0x3f0 [ 60.779940][ T8187] _raw_spin_lock+0x2f/0x40 [ 60.784593][ T8187] userfaultfd_read+0x540/0x1940 [ 60.789681][ T8187] do_iter_read+0x4a9/0x660 [ 60.794336][ T8187] vfs_readv+0xf0/0x160 [ 60.798643][ T8187] do_readv+0xf6/0x290 [ 60.802897][ T8187] __x64_sys_readv+0x75/0xb0 [ 60.807642][ T8187] do_syscall_64+0x103/0x610 [ 60.812388][ T8187] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.818602][ T8187] [ 60.820904][ T8187] -> (&ctx->fault_pending_wqh){+.+.} { [ 60.826342][ T8187] HARDIRQ-ON-W at: [ 60.830315][ T8187] lock_acquire+0x16f/0x3f0 [ 60.836481][ T8187] _raw_spin_lock+0x2f/0x40 [ 60.842647][ T8187] userfaultfd_release+0x48e/0x6d0 [ 60.849424][ T8187] __fput+0x2e5/0x8d0 [ 60.855061][ T8187] ____fput+0x16/0x20 [ 60.860675][ T8187] task_work_run+0x14a/0x1c0 [ 60.866900][ T8187] do_exit+0x90a/0x2fa0 [ 60.872688][ T8187] do_group_exit+0x135/0x370 [ 60.879017][ T8187] get_signal+0x399/0x1d50 [ 60.885068][ T8187] do_signal+0x87/0x1940 [ 60.890947][ T8187] exit_to_usermode_loop+0x244/0x2c0 [ 60.897868][ T8187] do_syscall_64+0x52d/0x610 [ 60.904095][ T8187] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.911728][ T8187] SOFTIRQ-ON-W at: [ 60.915700][ T8187] lock_acquire+0x16f/0x3f0 [ 60.921853][ T8187] _raw_spin_lock+0x2f/0x40 [ 60.927991][ T8187] userfaultfd_release+0x48e/0x6d0 [ 60.934908][ T8187] __fput+0x2e5/0x8d0 [ 60.940543][ T8187] ____fput+0x16/0x20 [ 60.946166][ T8187] task_work_run+0x14a/0x1c0 [ 60.952394][ T8187] do_exit+0x90a/0x2fa0 [ 60.958183][ T8187] do_group_exit+0x135/0x370 [ 60.964407][ T8187] get_signal+0x399/0x1d50 [ 60.970462][ T8187] do_signal+0x87/0x1940 [ 60.977314][ T8187] exit_to_usermode_loop+0x244/0x2c0 [ 60.984239][ T8187] do_syscall_64+0x52d/0x610 [ 60.990485][ T8187] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.998021][ T8187] INITIAL USE at: [ 61.001899][ T8187] lock_acquire+0x16f/0x3f0 [ 61.007948][ T8187] _raw_spin_lock+0x2f/0x40 [ 61.014259][ T8187] userfaultfd_read+0x540/0x1940 [ 61.020770][ T8187] do_iter_read+0x4a9/0x660 [ 61.027026][ T8187] vfs_readv+0xf0/0x160 [ 61.032734][ T8187] do_readv+0xf6/0x290 [ 61.038375][ T8187] __x64_sys_readv+0x75/0xb0 [ 61.044515][ T8187] do_syscall_64+0x103/0x610 [ 61.050659][ T8187] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 61.058223][ T8187] } [ 61.060711][ T8187] ... key at: [] __key.45450+0x0/0x40 [ 61.068163][ T8187] ... acquired at: [ 61.071976][ T8187] mark_lock+0x427/0x1380 [ 61.076462][ T8187] __lock_acquire+0x1317/0x3fb0 [ 61.081470][ T8187] lock_acquire+0x16f/0x3f0 [ 61.086126][ T8187] _raw_spin_lock+0x2f/0x40 [ 61.090794][ T8187] userfaultfd_release+0x48e/0x6d0 [ 61.096065][ T8187] __fput+0x2e5/0x8d0 [ 61.100202][ T8187] ____fput+0x16/0x20 [ 61.104338][ T8187] task_work_run+0x14a/0x1c0 [ 61.109099][ T8187] do_exit+0x90a/0x2fa0 [ 61.113498][ T8187] do_group_exit+0x135/0x370 [ 61.118236][ T8187] get_signal+0x399/0x1d50 [ 61.122816][ T8187] do_signal+0x87/0x1940 [ 61.127221][ T8187] exit_to_usermode_loop+0x244/0x2c0 [ 61.132660][ T8187] do_syscall_64+0x52d/0x610 [ 61.137420][ T8187] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 61.143459][ T8187] [ 61.145761][ T8187] [ 61.145761][ T8187] stack backtrace: [ 61.151633][ T8187] CPU: 0 PID: 8187 Comm: syz-executor676 Not tainted 5.1.0-rc2+ #40 [ 61.159595][ T8187] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.169809][ T8187] Call Trace: [ 61.173174][ T8187] dump_stack+0x172/0x1f0 [ 61.177489][ T8187] print_irq_inversion_bug.part.0+0x2c0/0x2cd [ 61.183632][ T8187] check_usage_backwards.cold+0x1d/0x26 [ 61.189161][ T8187] ? print_shortest_lock_dependencies+0x90/0x90 [ 61.195406][ T8187] ? save_stack_trace+0x1a/0x20 [ 61.200242][ T8187] mark_lock+0x427/0x1380 [ 61.204584][ T8187] ? print_shortest_lock_dependencies+0x90/0x90 [ 61.210813][ T8187] __lock_acquire+0x1317/0x3fb0 [ 61.215648][ T8187] ? __save_stack_trace+0x99/0x100 [ 61.220760][ T8187] ? mark_held_locks+0xf0/0xf0 [ 61.225521][ T8187] ? save_stack+0xa9/0xd0 [ 61.229832][ T8187] ? save_stack+0x45/0xd0 [ 61.234144][ T8187] ? __kasan_slab_free+0x102/0x150 [ 61.239241][ T8187] ? kasan_slab_free+0xe/0x10 [ 61.243896][ T8187] ? kmem_cache_free+0x86/0x260 [ 61.248726][ T8187] ? free_fs_struct+0x4f/0x70 [ 61.253378][ T8187] ? exit_fs+0xf0/0x130 [ 61.257517][ T8187] lock_acquire+0x16f/0x3f0 [ 61.262029][ T8187] ? userfaultfd_release+0x48e/0x6d0 [ 61.267303][ T8187] _raw_spin_lock+0x2f/0x40 [ 61.271797][ T8187] ? userfaultfd_release+0x48e/0x6d0 [ 61.277253][ T8187] userfaultfd_release+0x48e/0x6d0 [ 61.282361][ T8187] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 61.288171][ T8187] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 61.294403][ T8187] ? ima_file_free+0xc9/0x4a0 [ 61.299062][ T8187] ? __might_sleep+0x95/0x190 [ 61.303747][ T8187] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 61.309540][ T8187] __fput+0x2e5/0x8d0 [ 61.313500][ T8187] ____fput+0x16/0x20 [ 61.317459][ T8187] task_work_run+0x14a/0x1c0 [ 61.322036][ T8187] do_exit+0x90a/0x2fa0 [ 61.326171][ T8187] ? get_signal+0x331/0x1d50 [ 61.330743][ T8187] ? mm_update_next_owner+0x640/0x640 [ 61.336109][ T8187] ? kasan_check_write+0x14/0x20 [ 61.341032][ T8187] ? _raw_spin_unlock_irq+0x28/0x90 [ 61.346215][ T8187] ? get_signal+0x331/0x1d50 [ 61.350804][ T8187] ? _raw_spin_unlock_irq+0x28/0x90 [ 61.356015][ T8187] do_group_exit+0x135/0x370 [ 61.360589][ T8187] get_signal+0x399/0x1d50 [ 61.365000][ T8187] ? __x64_sys_io_submit+0x31f/0x580 [ 61.370277][ T8187] do_signal+0x87/0x1940 [ 61.374511][ T8187] ? lock_downgrade+0x880/0x880 [ 61.379350][ T8187] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 61.385581][ T8187] ? kasan_check_read+0x11/0x20 [ 61.390447][ T8187] ? setup_sigcontext+0x7d0/0x7d0 [ 61.395463][ T8187] ? exit_to_usermode_loop+0x43/0x2c0 [ 61.400823][ T8187] ? do_syscall_64+0x52d/0x610 [ 61.405595][ T8187] ? exit_to_usermode_loop+0x43/0x2c0 [ 61.410959][ T8187] ? lockdep_hardirqs_on+0x418/0x5d0 [ 61.416271][ T8187] ? trace_hardirqs_on+0x67/0x230 [ 61.421580][ T8187] exit_to_usermode_loop+0x244/0x2c0 [ 61.426852][ T8187] do_syscall_64+0x52d/0x610 [ 61.431429][ T8187] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 61.437313][ T8187] RIP: 0033:0x4458f9 [ 61.441191][ T8187] Code: Bad RIP value. [ 61.445254][ T8187] RSP: 002b:00007fd99a4dddb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 61.453667][ T8187] RAX: fffffffffffffe00 RBX: 00000000006dac58 RCX: 00000000004458f9 [ 61.461622][ T8187] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dac58 [ 61.469577][ T8187] RBP: 00000000006dac50 R08: 0000000000000000 R09: 0000000000000000 [ 61.477531][ T8187] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac5c [ 61.485510][ T8187] R13: 00007ffc58502e6f R14: 00