[ 38.484616][ T26] audit: type=1800 audit(1554290294.111:26): pid=7561 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 38.532514][ T26] audit: type=1800 audit(1554290294.111:27): pid=7561 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [ 38.553452][ T26] audit: type=1800 audit(1554290294.111:28): pid=7561 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 39.680796][ T26] audit: type=1800 audit(1554290295.331:29): pid=7561 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.253' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 50.303339][ T7714] [ 50.305969][ T7714] ======================================================== [ 50.313174][ T7714] WARNING: possible irq lock inversion dependency detected [ 50.320454][ T7714] 5.1.0-rc3+ #48 Not tainted [ 50.325017][ T7714] -------------------------------------------------------- [ 50.332348][ T7714] syz-executor944/7714 just changed the state of lock: [ 50.339168][ T7714] 00000000e43e43c5 (&ctx->fault_pending_wqh){+.+.}, at: userfaultfd_release+0x48e/0x6d0 [ 50.348966][ T7714] but this lock was taken by another, SOFTIRQ-safe lock in the past: [ 50.357095][ T7714] (&(&ctx->ctx_lock)->rlock){..-.} [ 50.357103][ T7714] [ 50.357103][ T7714] [ 50.357103][ T7714] and interrupts could create inverse lock ordering between them. [ 50.357103][ T7714] [ 50.376752][ T7714] [ 50.376752][ T7714] other info that might help us debug this: [ 50.384795][ T7714] Chain exists of: [ 50.384795][ T7714] &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh [ 50.384795][ T7714] [ 50.399369][ T7714] Possible interrupt unsafe locking scenario: [ 50.399369][ T7714] [ 50.407714][ T7714] CPU0 CPU1 [ 50.413194][ T7714] ---- ---- [ 50.418544][ T7714] lock(&ctx->fault_pending_wqh); [ 50.423641][ T7714] local_irq_disable(); [ 50.430377][ T7714] lock(&(&ctx->ctx_lock)->rlock); [ 50.438115][ T7714] lock(&ctx->fd_wqh); [ 50.444766][ T7714] [ 50.448203][ T7714] lock(&(&ctx->ctx_lock)->rlock); [ 50.453551][ T7714] [ 50.453551][ T7714] *** DEADLOCK *** [ 50.453551][ T7714] [ 50.461682][ T7714] no locks held by syz-executor944/7714. [ 50.467381][ T7714] [ 50.467381][ T7714] the shortest dependencies between 2nd lock and 1st lock: [ 50.476819][ T7714] -> (&(&ctx->ctx_lock)->rlock){..-.} { [ 50.482605][ T7714] IN-SOFTIRQ-W at: [ 50.490981][ T7714] lock_acquire+0x16f/0x3f0 [ 50.497490][ T7714] _raw_spin_lock_irq+0x60/0x80 [ 50.504332][ T7714] free_ioctx_users+0x2d/0x4a0 [ 50.511102][ T7714] percpu_ref_switch_to_atomic_rcu+0x3e7/0x520 [ 50.519326][ T7714] rcu_core+0x928/0x1390 [ 50.525567][ T7714] __do_softirq+0x266/0x95a [ 50.532054][ T7714] irq_exit+0x180/0x1d0 [ 50.538186][ T7714] smp_apic_timer_interrupt+0x14a/0x570 [ 50.545708][ T7714] apic_timer_interrupt+0xf/0x20 [ 50.552746][ T7714] native_safe_halt+0x2/0x10 [ 50.559323][ T7714] arch_cpu_idle+0x10/0x20 [ 50.565714][ T7714] default_idle_call+0x36/0x90 [ 50.572546][ T7714] do_idle+0x386/0x570 [ 50.578588][ T7714] cpu_startup_entry+0x1b/0x20 [ 50.585345][ T7714] start_secondary+0x360/0x4d0 [ 50.592141][ T7714] secondary_startup_64+0xa4/0xb0 [ 50.599135][ T7714] INITIAL USE at: [ 50.603197][ T7714] lock_acquire+0x16f/0x3f0 [ 50.609590][ T7714] _raw_spin_lock_irq+0x60/0x80 [ 50.616493][ T7714] io_submit_one+0xaec/0x2f90 [ 50.623066][ T7714] __ia32_compat_sys_io_submit+0x1be/0x570 [ 50.631179][ T7714] do_fast_syscall_32+0x281/0xc98 [ 50.638218][ T7714] entry_SYSENTER_compat+0x70/0x7f [ 50.645239][ T7714] } [ 50.647931][ T7714] ... key at: [] __key.52649+0x0/0x40 [ 50.655530][ T7714] ... acquired at: [ 50.659578][ T7714] lock_acquire+0x16f/0x3f0 [ 50.664747][ T7714] _raw_spin_lock+0x2f/0x40 [ 50.669428][ T7714] io_submit_one+0xb31/0x2f90 [ 50.674263][ T7714] __ia32_compat_sys_io_submit+0x1be/0x570 [ 50.680246][ T7714] do_fast_syscall_32+0x281/0xc98 [ 50.685428][ T7714] entry_SYSENTER_compat+0x70/0x7f [ 50.690810][ T7714] [ 50.693145][ T7714] -> (&ctx->fd_wqh){....} { [ 50.697721][ T7714] INITIAL USE at: [ 50.701686][ T7714] lock_acquire+0x16f/0x3f0 [ 50.707993][ T7714] _raw_spin_lock_irq+0x60/0x80 [ 50.714738][ T7714] userfaultfd_read+0x27a/0x1940 [ 50.721422][ T7714] __vfs_read+0x8d/0x110 [ 50.727467][ T7714] vfs_read+0x194/0x3e0 [ 50.733515][ T7714] ksys_read+0xea/0x1f0 [ 50.739637][ T7714] __ia32_sys_read+0x71/0xb0 [ 50.746138][ T7714] do_fast_syscall_32+0x281/0xc98 [ 50.753236][ T7714] entry_SYSENTER_compat+0x70/0x7f [ 50.760054][ T7714] } [ 50.762632][ T7714] ... key at: [] __key.45459+0x0/0x40 [ 50.770159][ T7714] ... acquired at: [ 50.774040][ T7714] lock_acquire+0x16f/0x3f0 [ 50.778691][ T7714] _raw_spin_lock+0x2f/0x40 [ 50.783346][ T7714] userfaultfd_read+0x540/0x1940 [ 50.788545][ T7714] __vfs_read+0x8d/0x110 [ 50.792936][ T7714] vfs_read+0x194/0x3e0 [ 50.797244][ T7714] ksys_read+0xea/0x1f0 [ 50.801552][ T7714] __ia32_sys_read+0x71/0xb0 [ 50.806301][ T7714] do_fast_syscall_32+0x281/0xc98 [ 50.811499][ T7714] entry_SYSENTER_compat+0x70/0x7f [ 50.817127][ T7714] [ 50.819436][ T7714] -> (&ctx->fault_pending_wqh){+.+.} { [ 50.824882][ T7714] HARDIRQ-ON-W at: [ 50.829793][ T7714] lock_acquire+0x16f/0x3f0 [ 50.835933][ T7714] _raw_spin_lock+0x2f/0x40 [ 50.842073][ T7714] userfaultfd_release+0x48e/0x6d0 [ 50.848905][ T7714] __fput+0x2e5/0x8d0 [ 50.854518][ T7714] ____fput+0x16/0x20 [ 50.860157][ T7714] task_work_run+0x14a/0x1c0 [ 50.866436][ T7714] do_exit+0x90a/0x2fa0 [ 50.872225][ T7714] do_group_exit+0x135/0x370 [ 50.878447][ T7714] get_signal+0x399/0x1d50 [ 50.884589][ T7714] do_signal+0x87/0x1940 [ 50.890490][ T7714] exit_to_usermode_loop+0x244/0x2c0 [ 50.897421][ T7714] do_fast_syscall_32+0xa9d/0xc98 [ 50.904167][ T7714] entry_SYSENTER_compat+0x70/0x7f [ 50.910917][ T7714] SOFTIRQ-ON-W at: [ 50.914887][ T7714] lock_acquire+0x16f/0x3f0 [ 50.921159][ T7714] _raw_spin_lock+0x2f/0x40 [ 50.927297][ T7714] userfaultfd_release+0x48e/0x6d0 [ 50.934038][ T7714] __fput+0x2e5/0x8d0 [ 50.939645][ T7714] ____fput+0x16/0x20 [ 50.945378][ T7714] task_work_run+0x14a/0x1c0 [ 50.951607][ T7714] do_exit+0x90a/0x2fa0 [ 50.957390][ T7714] do_group_exit+0x135/0x370 [ 50.963957][ T7714] get_signal+0x399/0x1d50 [ 50.970011][ T7714] do_signal+0x87/0x1940 [ 50.975888][ T7714] exit_to_usermode_loop+0x244/0x2c0 [ 50.982802][ T7714] do_fast_syscall_32+0xa9d/0xc98 [ 50.989466][ T7714] entry_SYSENTER_compat+0x70/0x7f [ 50.996220][ T7714] INITIAL USE at: [ 51.000136][ T7714] lock_acquire+0x16f/0x3f0 [ 51.006196][ T7714] _raw_spin_lock+0x2f/0x40 [ 51.012247][ T7714] userfaultfd_read+0x540/0x1940 [ 51.018729][ T7714] __vfs_read+0x8d/0x110 [ 51.024515][ T7714] vfs_read+0x194/0x3e0 [ 51.030214][ T7714] ksys_read+0xea/0x1f0 [ 51.036100][ T7714] __ia32_sys_read+0x71/0xb0 [ 51.042239][ T7714] do_fast_syscall_32+0x281/0xc98 [ 51.048803][ T7714] entry_SYSENTER_compat+0x70/0x7f [ 51.055454][ T7714] } [ 51.057942][ T7714] ... key at: [] __key.45456+0x0/0x40 [ 51.065370][ T7714] ... acquired at: [ 51.069186][ T7714] mark_lock+0x427/0x1380 [ 51.073672][ T7714] __lock_acquire+0x1317/0x3fb0 [ 51.078677][ T7714] lock_acquire+0x16f/0x3f0 [ 51.083423][ T7714] _raw_spin_lock+0x2f/0x40 [ 51.088082][ T7714] userfaultfd_release+0x48e/0x6d0 [ 51.093413][ T7714] __fput+0x2e5/0x8d0 [ 51.097630][ T7714] ____fput+0x16/0x20 [ 51.101770][ T7714] task_work_run+0x14a/0x1c0 [ 51.106510][ T7714] do_exit+0x90a/0x2fa0 [ 51.110818][ T7714] do_group_exit+0x135/0x370 [ 51.115671][ T7714] get_signal+0x399/0x1d50 [ 51.120254][ T7714] do_signal+0x87/0x1940 [ 51.124662][ T7714] exit_to_usermode_loop+0x244/0x2c0 [ 51.130199][ T7714] do_fast_syscall_32+0xa9d/0xc98 [ 51.135379][ T7714] entry_SYSENTER_compat+0x70/0x7f [ 51.140719][ T7714] [ 51.143035][ T7714] [ 51.143035][ T7714] stack backtrace: [ 51.148923][ T7714] CPU: 1 PID: 7714 Comm: syz-executor944 Not tainted 5.1.0-rc3+ #48 [ 51.156889][ T7714] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.166928][ T7714] Call Trace: [ 51.170200][ T7714] dump_stack+0x172/0x1f0 [ 51.174529][ T7714] print_irq_inversion_bug.part.0+0x2c0/0x2cd [ 51.180589][ T7714] check_usage_backwards.cold+0x1d/0x26 [ 51.186117][ T7714] ? print_shortest_lock_dependencies+0x90/0x90 [ 51.192390][ T7714] ? save_stack_trace+0x1a/0x20 [ 51.197237][ T7714] mark_lock+0x427/0x1380 [ 51.201562][ T7714] ? print_shortest_lock_dependencies+0x90/0x90 [ 51.207876][ T7714] __lock_acquire+0x1317/0x3fb0 [ 51.212711][ T7714] ? trace_hardirqs_off+0x62/0x220 [ 51.217803][ T7714] ? kasan_check_read+0x11/0x20 [ 51.222638][ T7714] ? mark_held_locks+0xf0/0xf0 [ 51.227839][ T7714] ? save_stack+0xa9/0xd0 [ 51.232152][ T7714] ? save_stack+0x45/0xd0 [ 51.236467][ T7714] ? __kasan_slab_free+0x102/0x150 [ 51.241574][ T7714] ? kasan_slab_free+0xe/0x10 [ 51.246244][ T7714] ? kmem_cache_free+0x86/0x260 [ 51.251082][ T7714] ? free_fs_struct+0x4f/0x70 [ 51.255737][ T7714] ? exit_fs+0xf0/0x130 [ 51.259875][ T7714] lock_acquire+0x16f/0x3f0 [ 51.264371][ T7714] ? userfaultfd_release+0x48e/0x6d0 [ 51.269643][ T7714] _raw_spin_lock+0x2f/0x40 [ 51.274137][ T7714] ? userfaultfd_release+0x48e/0x6d0 [ 51.279406][ T7714] userfaultfd_release+0x48e/0x6d0 [ 51.284526][ T7714] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 51.290324][ T7714] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 51.296546][ T7714] ? ima_file_free+0xc9/0x4a0 [ 51.301207][ T7714] ? __might_sleep+0x95/0x190 [ 51.305860][ T7714] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 51.311648][ T7714] __fput+0x2e5/0x8d0 [ 51.315622][ T7714] ____fput+0x16/0x20 [ 51.319605][ T7714] task_work_run+0x14a/0x1c0 [ 51.324183][ T7714] do_exit+0x90a/0x2fa0 [ 51.328335][ T7714] ? get_signal+0x331/0x1d50 [ 51.332905][ T7714] ? mm_update_next_owner+0x640/0x640 [ 51.338449][ T7714] ? kasan_check_write+0x14/0x20 [ 51.343394][ T7714] ? _raw_spin_unlock_irq+0x28/0x90 [ 51.349290][ T7714] ? get_signal+0x331/0x1d50 [ 51.353858][ T7714] ? _raw_spin_unlock_irq+0x28/0x90 [ 51.359032][ T7714] do_group_exit+0x135/0x370 [ 51.363606][ T7714] get_signal+0x399/0x1d50 [ 51.368001][ T7714] ? __ia32_compat_sys_io_submit+0x2fe/0x570 [ 51.374061][ T7714] do_signal+0x87/0x1940 [ 51.378398][ T7714] ? lock_downgrade+0x880/0x880 [ 51.383244][ T7714] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 51.389473][ T7714] ? setup_sigcontext+0x7d0/0x7d0 [ 51.394502][ T7714] ? exit_to_usermode_loop+0x43/0x2c0 [ 51.399855][ T7714] ? do_fast_syscall_32+0xa9d/0xc98 [ 51.405027][ T7714] ? exit_to_usermode_loop+0x43/0x2c0 [ 51.410483][ T7714] ? lockdep_hardirqs_on+0x418/0x5d0 [ 51.415841][ T7714] ? trace_hardirqs_on+0x67/0x230 [ 51.420939][ T7714] exit_to_usermode_loop+0x244/0x2c0 [ 51.426203][ T7714] do_fast_syscall_32+0xa9d/0xc98 [ 51.431206][ T7714] entry_SYSENTER_compat+0x70/0x7f [ 51.436361][ T7714] RIP: 0023:0xf7fc6869 [ 51.440432][ T7714] Code: Bad RIP value. [ 51.444477][ T7714] RSP: 002b:00000000f7fa11ec EFLAGS: 00000296 ORIG_RAX: 00000000000000f0 [ 51.452866][ T7714] RAX: fffffffffffffe00 RBX: 00000000080fb018