[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   38.212879][   T26] audit: type=1800 audit(1550277083.028:25): pid=7648 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   38.250883][   T26] audit: type=1800 audit(1550277083.028:26): pid=7648 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   38.274994][   T26] audit: type=1800 audit(1550277083.038:27): pid=7648 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.10.51' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   52.129777][ T7802] 
[   52.132161][ T7802] ========================================================
[   52.139334][ T7802] WARNING: possible irq lock inversion dependency detected
[   52.146502][ T7802] 5.0.0-rc6-next-20190215 #36 Not tainted
[   52.152195][ T7802] --------------------------------------------------------
[   52.159370][ T7802] syz-executor216/7802 just changed the state of lock:
[   52.166185][ T7802] 000000003a860985 (&ctx->fault_pending_wqh){+.+.}, at: userfaultfd_release+0x48e/0x6d0
[   52.176141][ T7802] but this lock was taken by another, SOFTIRQ-safe lock in the past:
[   52.184195][ T7802]  (&(&ctx->ctx_lock)->rlock){..-.}
[   52.184202][ T7802] 
[   52.184202][ T7802] 
[   52.184202][ T7802] and interrupts could create inverse lock ordering between them.
[   52.184202][ T7802] 
[   52.203651][ T7802] 
[   52.203651][ T7802] other info that might help us debug this:
[   52.211705][ T7802] Chain exists of:
[   52.211705][ T7802]   &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh
[   52.211705][ T7802] 
[   52.225911][ T7802]  Possible interrupt unsafe locking scenario:
[   52.225911][ T7802] 
[   52.234207][ T7802]        CPU0                    CPU1
[   52.239547][ T7802]        ----                    ----
[   52.244889][ T7802]   lock(&ctx->fault_pending_wqh);
[   52.249973][ T7802]                                local_irq_disable();
[   52.256704][ T7802]                                lock(&(&ctx->ctx_lock)->rlock);
[   52.264391][ T7802]                                lock(&ctx->fd_wqh);
[   52.271036][ T7802]   <Interrupt>
[   52.274467][ T7802]     lock(&(&ctx->ctx_lock)->rlock);
[   52.279808][ T7802] 
[   52.279808][ T7802]  *** DEADLOCK ***
[   52.279808][ T7802] 
[   52.288202][ T7802] no locks held by syz-executor216/7802.
[   52.293802][ T7802] 
[   52.293802][ T7802] the shortest dependencies between 2nd lock and 1st lock:
[   52.303141][ T7802]   -> (&(&ctx->ctx_lock)->rlock){..-.} {
[   52.308853][ T7802]      IN-SOFTIRQ-W at:
[   52.312991][ T7802]                         lock_acquire+0x16f/0x3f0
[   52.319466][ T7802]                         _raw_spin_lock_irq+0x60/0x80
[   52.326288][ T7802]                         free_ioctx_users+0x2d/0x4a0
[   52.333040][ T7802]                         percpu_ref_switch_to_atomic_rcu+0x3e7/0x520
[   52.341166][ T7802]                         rcu_core+0x928/0x1390
[   52.347401][ T7802]                         __do_softirq+0x266/0x95a
[   52.353879][ T7802]                         irq_exit+0x180/0x1d0
[   52.360005][ T7802]                         smp_apic_timer_interrupt+0x14a/0x570
[   52.367534][ T7802]                         apic_timer_interrupt+0xf/0x20
[   52.374458][ T7802]                         native_safe_halt+0x2/0x10
[   52.381018][ T7802]                         arch_cpu_idle+0x10/0x20
[   52.387401][ T7802]                         default_idle_call+0x36/0x90
[   52.394135][ T7802]                         do_idle+0x386/0x570
[   52.400172][ T7802]                         cpu_startup_entry+0x1b/0x20
[   52.406911][ T7802]                         rest_init+0x245/0x37b
[   52.413124][ T7802]                         arch_call_rest_init+0xe/0x1b
[   52.419970][ T7802]                         start_kernel+0x816/0x84f
[   52.426445][ T7802]                         x86_64_start_reservations+0x29/0x2b
[   52.433874][ T7802]                         x86_64_start_kernel+0x77/0x7b
[   52.440780][ T7802]                         secondary_startup_64+0xa4/0xb0
[   52.447770][ T7802]      INITIAL USE at:
[   52.451817][ T7802]                        lock_acquire+0x16f/0x3f0
[   52.458211][ T7802]                        _raw_spin_lock_irq+0x60/0x80
[   52.464953][ T7802]                        io_submit_one+0xeb6/0x1cf0
[   52.471520][ T7802]                        __x64_sys_io_submit+0x1bd/0x580
[   52.478518][ T7802]                        do_syscall_64+0x103/0x610
[   52.484994][ T7802]                        entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   52.492767][ T7802]    }
[   52.495421][ T7802]    ... key      at: [<ffffffff8a589280>] __key.52635+0x0/0x40
[   52.503016][ T7802]    ... acquired at:
[   52.506970][ T7802]    _raw_spin_lock+0x2f/0x40
[   52.511624][ T7802]    io_submit_one+0xedf/0x1cf0
[   52.516447][ T7802]    __x64_sys_io_submit+0x1bd/0x580
[   52.521709][ T7802]    do_syscall_64+0x103/0x610
[   52.526445][ T7802]    entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   52.532475][ T7802] 
[   52.534774][ T7802]  -> (&ctx->fd_wqh){....} {
[   52.539336][ T7802]     INITIAL USE at:
[   52.543291][ T7802]                      lock_acquire+0x16f/0x3f0
[   52.549506][ T7802]                      _raw_spin_lock_irq+0x60/0x80
[   52.556068][ T7802]                      userfaultfd_read+0x27a/0x1940
[   52.562717][ T7802]                      __vfs_read+0x8d/0x110
[   52.568671][ T7802]                      vfs_read+0x194/0x3e0
[   52.574537][ T7802]                      ksys_read+0xea/0x1f0
[   52.580401][ T7802]                      __x64_sys_read+0x73/0xb0
[   52.586616][ T7802]                      do_syscall_64+0x103/0x610
[   52.592922][ T7802]                      entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   52.600518][ T7802]   }
[   52.603107][ T7802]   ... key      at: [<ffffffff8a589000>] __key.45558+0x0/0x40
[   52.610632][ T7802]   ... acquired at:
[   52.614502][ T7802]    _raw_spin_lock+0x2f/0x40
[   52.619150][ T7802]    userfaultfd_read+0x540/0x1940
[   52.624232][ T7802]    __vfs_read+0x8d/0x110
[   52.628621][ T7802]    vfs_read+0x194/0x3e0
[   52.632924][ T7802]    ksys_read+0xea/0x1f0
[   52.637223][ T7802]    __x64_sys_read+0x73/0xb0
[   52.641874][ T7802]    do_syscall_64+0x103/0x610
[   52.646611][ T7802]    entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   52.652643][ T7802] 
[   52.654944][ T7802] -> (&ctx->fault_pending_wqh){+.+.} {
[   52.660377][ T7802]    HARDIRQ-ON-W at:
[   52.664335][ T7802]                     lock_acquire+0x16f/0x3f0
[   52.670483][ T7802]                     _raw_spin_lock+0x2f/0x40
[   52.676630][ T7802]                     userfaultfd_release+0x48e/0x6d0
[   52.683364][ T7802]                     __fput+0x2e5/0x8d0
[   52.688970][ T7802]                     ____fput+0x16/0x20
[   52.694575][ T7802]                     task_work_run+0x14a/0x1c0
[   52.700802][ T7802]                     do_exit+0x90a/0x2fa0
[   52.706579][ T7802]                     do_group_exit+0x135/0x370
[   52.712795][ T7802]                     get_signal+0x399/0x1d50
[   52.718834][ T7802]                     do_signal+0x87/0x1940
[   52.724700][ T7802]                     exit_to_usermode_loop+0x244/0x2c0
[   52.731610][ T7802]                     do_syscall_64+0x52d/0x610
[   52.737824][ T7802]                     entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   52.745334][ T7802]    SOFTIRQ-ON-W at:
[   52.749295][ T7802]                     lock_acquire+0x16f/0x3f0
[   52.755422][ T7802]                     _raw_spin_lock+0x2f/0x40
[   52.761546][ T7802]                     userfaultfd_release+0x48e/0x6d0
[   52.768313][ T7802]                     __fput+0x2e5/0x8d0
[   52.773917][ T7802]                     ____fput+0x16/0x20
[   52.779520][ T7802]                     task_work_run+0x14a/0x1c0
[   52.785737][ T7802]                     do_exit+0x90a/0x2fa0
[   52.791523][ T7802]                     do_group_exit+0x135/0x370
[   52.797756][ T7802]                     get_signal+0x399/0x1d50
[   52.803797][ T7802]                     do_signal+0x87/0x1940
[   52.809667][ T7802]                     exit_to_usermode_loop+0x244/0x2c0
[   52.816578][ T7802]                     do_syscall_64+0x52d/0x610
[   52.822792][ T7802]                     entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   52.830306][ T7802]    INITIAL USE at:
[   52.834218][ T7802]                    lock_acquire+0x16f/0x3f0
[   52.840257][ T7802]                    _raw_spin_lock+0x2f/0x40
[   52.846298][ T7802]                    userfaultfd_read+0x540/0x1940
[   52.852774][ T7802]                    __vfs_read+0x8d/0x110
[   52.858553][ T7802]                    vfs_read+0x194/0x3e0
[   52.864246][ T7802]                    ksys_read+0xea/0x1f0
[   52.869938][ T7802]                    __x64_sys_read+0x73/0xb0
[   52.875983][ T7802]                    do_syscall_64+0x103/0x610
[   52.882110][ T7802]                    entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   52.889535][ T7802]  }
[   52.892017][ T7802]  ... key      at: [<ffffffff8a5890c0>] __key.45555+0x0/0x40
[   52.899440][ T7802]  ... acquired at:
[   52.903235][ T7802]    mark_lock+0x427/0x1380
[   52.907711][ T7802]    __lock_acquire+0xe41/0x4710
[   52.912621][ T7802]    lock_acquire+0x16f/0x3f0
[   52.917273][ T7802]    _raw_spin_lock+0x2f/0x40
[   52.921922][ T7802]    userfaultfd_release+0x48e/0x6d0
[   52.927179][ T7802]    __fput+0x2e5/0x8d0
[   52.931314][ T7802]    ____fput+0x16/0x20
[   52.935460][ T7802]    task_work_run+0x14a/0x1c0
[   52.940201][ T7802]    do_exit+0x90a/0x2fa0
[   52.944504][ T7802]    do_group_exit+0x135/0x370
[   52.949259][ T7802]    get_signal+0x399/0x1d50
[   52.953825][ T7802]    do_signal+0x87/0x1940
[   52.958231][ T7802]    exit_to_usermode_loop+0x244/0x2c0
[   52.963662][ T7802]    do_syscall_64+0x52d/0x610
[   52.968400][ T7802]    entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   52.974431][ T7802] 
[   52.976732][ T7802] 
[   52.976732][ T7802] stack backtrace:
[   52.982597][ T7802] CPU: 0 PID: 7802 Comm: syz-executor216 Not tainted 5.0.0-rc6-next-20190215 #36
[   52.991671][ T7802] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   53.001699][ T7802] Call Trace:
[   53.004967][ T7802]  dump_stack+0x172/0x1f0
[   53.009276][ T7802]  print_irq_inversion_bug.part.0+0x2c0/0x2cd
[   53.015318][ T7802]  check_usage_backwards.cold+0x1d/0x26
[   53.020840][ T7802]  ? print_shortest_lock_dependencies+0x90/0x90
[   53.027058][ T7802]  ? save_stack_trace+0x1a/0x20
[   53.031883][ T7802]  ? save_trace+0xe0/0x290
[   53.036293][ T7802]  mark_lock+0x427/0x1380
[   53.040598][ T7802]  ? print_shortest_lock_dependencies+0x90/0x90
[   53.046826][ T7802]  __lock_acquire+0xe41/0x4710
[   53.051565][ T7802]  ? depot_save_stack+0x1de/0x460
[   53.056580][ T7802]  ? kasan_check_write+0x14/0x20
[   53.061506][ T7802]  ? mark_held_locks+0xf0/0xf0
[   53.066247][ T7802]  ? _raw_spin_unlock_irqrestore+0xa4/0xe0
[   53.072029][ T7802]  ? depot_save_stack+0x1de/0x460
[   53.077029][ T7802]  ? __lock_acquire+0x55d/0x4710
[   53.081942][ T7802]  ? __lock_acquire+0x55d/0x4710
[   53.086853][ T7802]  ? free_fs_struct+0x4f/0x70
[   53.091506][ T7802]  ? do_exit+0x8e0/0x2fa0
[   53.095812][ T7802]  lock_acquire+0x16f/0x3f0
[   53.100291][ T7802]  ? userfaultfd_release+0x48e/0x6d0
[   53.105566][ T7802]  _raw_spin_lock+0x2f/0x40
[   53.110045][ T7802]  ? userfaultfd_release+0x48e/0x6d0
[   53.115305][ T7802]  userfaultfd_release+0x48e/0x6d0
[   53.120392][ T7802]  ? userfaultfd_wake_function+0x2f0/0x2f0
[   53.126174][ T7802]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   53.132398][ T7802]  ? ima_file_free+0xc9/0x4a0
[   53.137051][ T7802]  ? __might_sleep+0x95/0x190
[   53.141712][ T7802]  ? userfaultfd_wake_function+0x2f0/0x2f0
[   53.147495][ T7802]  __fput+0x2e5/0x8d0
[   53.151457][ T7802]  ____fput+0x16/0x20
[   53.155414][ T7802]  task_work_run+0x14a/0x1c0
[   53.160173][ T7802]  do_exit+0x90a/0x2fa0
[   53.164313][ T7802]  ? get_signal+0x331/0x1d50
[   53.168881][ T7802]  ? mm_update_next_owner+0x640/0x640
[   53.174230][ T7802]  ? kasan_check_write+0x14/0x20
[   53.179163][ T7802]  ? _raw_spin_unlock_irq+0x28/0x90
[   53.184342][ T7802]  ? get_signal+0x331/0x1d50
[   53.188910][ T7802]  ? _raw_spin_unlock_irq+0x28/0x90
[   53.194085][ T7802]  do_group_exit+0x135/0x370
[   53.198671][ T7802]  get_signal+0x399/0x1d50
[   53.203070][ T7802]  ? __x64_sys_io_submit+0x31f/0x580
[   53.208335][ T7802]  do_signal+0x87/0x1940
[   53.212554][ T7802]  ? lock_downgrade+0x880/0x880
[   53.217378][ T7802]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   53.223593][ T7802]  ? kasan_check_read+0x11/0x20
[   53.228420][ T7802]  ? setup_sigcontext+0x7d0/0x7d0
[   53.233422][ T7802]  ? exit_to_usermode_loop+0x43/0x2c0
[   53.238772][ T7802]  ? do_syscall_64+0x52d/0x610
[   53.243508][ T7802]  ? exit_to_usermode_loop+0x43/0x2c0
[   53.248854][ T7802]  ? lockdep_hardirqs_on+0x418/0x5d0
[   53.254112][ T7802]  ? trace_hardirqs_on+0x67/0x230
[   53.259111][ T7802]  exit_to_usermode_loop+0x244/0x2c0
[   53.264390][ T7802]  do_syscall_64+0x52d/0x610
[   53.268960][ T7802]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   53.274824][ T7802] RIP: 0033:0x4457a9
[   53.278700][ T7802] Code: Bad RIP value.
[   53.282765][ T7802] RS