[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [ 79.217265][ T26] kauditd_printk_skb: 5 callbacks suppressed [ 79.217278][ T26] audit: type=1800 audit(1560765029.168:33): pid=9492 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 79.247557][ T26] audit: type=1800 audit(1560765029.168:34): pid=9492 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 83.532419][ T26] audit: type=1400 audit(1560765033.478:35): avc: denied { map } for pid=9669 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.171' (ECDSA) to the list of known hosts. executing program [ 90.006298][ T26] audit: type=1400 audit(1560765039.958:36): avc: denied { map } for pid=9681 comm="syz-executor833" path="/root/syz-executor833445074" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 90.286057][ T9683] [ 90.288408][ T9683] ======================================================== [ 90.295586][ T9683] WARNING: possible irq lock inversion dependency detected [ 90.302778][ T9683] 5.2.0-rc4+ #27 Not tainted [ 90.307365][ T9683] -------------------------------------------------------- [ 90.314582][ T9683] syz-executor833/9683 just changed the state of lock: [ 90.321406][ T9683] 00000000b78705eb (&ctx->fault_pending_wqh){+.+.}, at: userfaultfd_release+0x4ca/0x710 [ 90.331174][ T9683] but this lock was taken by another, SOFTIRQ-safe lock in the past: [ 90.339211][ T9683] (&(&ctx->ctx_lock)->rlock){..-.} [ 90.339218][ T9683] [ 90.339218][ T9683] [ 90.339218][ T9683] and interrupts could create inverse lock ordering between them. [ 90.339218][ T9683] [ 90.358682][ T9683] [ 90.358682][ T9683] other info that might help us debug this: [ 90.366736][ T9683] Chain exists of: [ 90.366736][ T9683] &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh [ 90.366736][ T9683] [ 90.381220][ T9683] Possible interrupt unsafe locking scenario: [ 90.381220][ T9683] [ 90.389518][ T9683] CPU0 CPU1 [ 90.394860][ T9683] ---- ---- [ 90.400419][ T9683] lock(&ctx->fault_pending_wqh); [ 90.405504][ T9683] local_irq_disable(); [ 90.412235][ T9683] lock(&(&ctx->ctx_lock)->rlock); [ 90.419929][ T9683] lock(&ctx->fd_wqh); [ 90.426578][ T9683] [ 90.430182][ T9683] lock(&(&ctx->ctx_lock)->rlock); [ 90.435545][ T9683] [ 90.435545][ T9683] *** DEADLOCK *** [ 90.435545][ T9683] [ 90.443684][ T9683] no locks held by syz-executor833/9683. [ 90.449285][ T9683] [ 90.449285][ T9683] the shortest dependencies between 2nd lock and 1st lock: [ 90.458640][ T9683] -> (&(&ctx->ctx_lock)->rlock){..-.} { [ 90.464343][ T9683] IN-SOFTIRQ-W at: [ 90.468502][ T9683] lock_acquire+0x16f/0x3f0 [ 90.475008][ T9683] _raw_spin_lock_irq+0x60/0x80 [ 90.481865][ T9683] free_ioctx_users+0x2d/0x490 [ 90.488634][ T9683] percpu_ref_switch_to_atomic_rcu+0x407/0x540 [ 90.496776][ T9683] rcu_core+0xba5/0x1500 [ 90.503006][ T9683] __do_softirq+0x25c/0x94c [ 90.509486][ T9683] irq_exit+0x180/0x1d0 [ 90.515617][ T9683] smp_apic_timer_interrupt+0x13b/0x550 [ 90.523137][ T9683] apic_timer_interrupt+0xf/0x20 [ 90.530148][ T9683] native_safe_halt+0xe/0x10 [ 90.536729][ T9683] arch_cpu_idle+0xa/0x10 [ 90.543047][ T9683] default_idle_call+0x36/0x90 [ 90.549785][ T9683] do_idle+0x377/0x560 [ 90.555854][ T9683] cpu_startup_entry+0x1b/0x20 [ 90.562601][ T9683] start_secondary+0x34e/0x4c0 [ 90.569350][ T9683] secondary_startup_64+0xa4/0xb0 [ 90.576341][ T9683] INITIAL USE at: [ 90.580391][ T9683] lock_acquire+0x16f/0x3f0 [ 90.586799][ T9683] _raw_spin_lock_irq+0x60/0x80 [ 90.593555][ T9683] io_submit_one+0xeb5/0x2ef0 [ 90.600121][ T9683] __x64_sys_io_submit+0x1bd/0x570 [ 90.607128][ T9683] do_syscall_64+0xfd/0x680 [ 90.613519][ T9683] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 90.621926][ T9683] } [ 90.641507][ T9683] ... key at: [] __key.53428+0x0/0x40 [ 90.649111][ T9683] ... acquired at: [ 90.653097][ T9683] _raw_spin_lock+0x2f/0x40 [ 90.657756][ T9683] io_submit_one+0xefa/0x2ef0 [ 90.662584][ T9683] __x64_sys_io_submit+0x1bd/0x570 [ 90.670264][ T9683] do_syscall_64+0xfd/0x680 [ 90.674926][ T9683] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 90.680965][ T9683] [ 90.683287][ T9683] -> (&ctx->fd_wqh){....} { [ 90.687854][ T9683] INITIAL USE at: [ 90.691818][ T9683] lock_acquire+0x16f/0x3f0 [ 90.698040][ T9683] _raw_spin_lock_irq+0x60/0x80 [ 90.704607][ T9683] userfaultfd_read+0x27a/0x1940 [ 90.711317][ T9683] __vfs_read+0x8a/0x110 [ 90.717282][ T9683] vfs_read+0x194/0x3e0 [ 90.723170][ T9683] ksys_read+0x14f/0x290 [ 90.729136][ T9683] __x64_sys_read+0x73/0xb0 [ 90.735357][ T9683] do_syscall_64+0xfd/0x680 [ 90.741579][ T9683] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 90.749300][ T9683] } [ 90.751877][ T9683] ... key at: [] __key.46104+0x0/0x40 [ 90.759391][ T9683] ... acquired at: [ 90.763274][ T9683] _raw_spin_lock+0x2f/0x40 [ 90.767930][ T9683] userfaultfd_read+0x540/0x1940 [ 90.773020][ T9683] __vfs_read+0x8a/0x110 [ 90.777439][ T9683] vfs_read+0x194/0x3e0 [ 90.781756][ T9683] ksys_read+0x14f/0x290 [ 90.786158][ T9683] __x64_sys_read+0x73/0xb0 [ 90.790812][ T9683] do_syscall_64+0xfd/0x680 [ 90.795469][ T9683] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 90.801507][ T9683] [ 90.803811][ T9683] -> (&ctx->fault_pending_wqh){+.+.} { [ 90.809248][ T9683] HARDIRQ-ON-W at: [ 90.813226][ T9683] lock_acquire+0x16f/0x3f0 [ 90.819358][ T9683] _raw_spin_lock+0x2f/0x40 [ 90.825494][ T9683] userfaultfd_release+0x4ca/0x710 [ 90.832232][ T9683] __fput+0x2ff/0x890 [ 90.837848][ T9683] ____fput+0x16/0x20 [ 90.843457][ T9683] task_work_run+0x145/0x1c0 [ 90.849675][ T9683] do_exit+0x90a/0x2fa0 [ 90.855458][ T9683] do_group_exit+0x135/0x370 [ 90.861725][ T9683] get_signal+0x471/0x24b0 [ 90.867838][ T9683] do_signal+0x87/0x1900 [ 90.873711][ T9683] exit_to_usermode_loop+0x244/0x2c0 [ 90.880623][ T9683] do_syscall_64+0x58e/0x680 [ 90.886928][ T9683] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 90.894449][ T9683] SOFTIRQ-ON-W at: [ 90.898435][ T9683] lock_acquire+0x16f/0x3f0 [ 90.904585][ T9683] _raw_spin_lock+0x2f/0x40 [ 90.910718][ T9683] userfaultfd_release+0x4ca/0x710 [ 90.917458][ T9683] __fput+0x2ff/0x890 [ 90.923105][ T9683] ____fput+0x16/0x20 [ 90.928715][ T9683] task_work_run+0x145/0x1c0 [ 90.934936][ T9683] do_exit+0x90a/0x2fa0 [ 90.940721][ T9683] do_group_exit+0x135/0x370 [ 90.946953][ T9683] get_signal+0x471/0x24b0 [ 90.952994][ T9683] do_signal+0x87/0x1900 [ 90.958868][ T9683] exit_to_usermode_loop+0x244/0x2c0 [ 90.965783][ T9683] do_syscall_64+0x58e/0x680 [ 90.972002][ T9683] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 90.979519][ T9683] INITIAL USE at: [ 90.983403][ T9683] lock_acquire+0x16f/0x3f0 [ 90.989447][ T9683] _raw_spin_lock+0x2f/0x40 [ 90.995491][ T9683] userfaultfd_read+0x540/0x1940 [ 91.002002][ T9683] __vfs_read+0x8a/0x110 [ 91.007790][ T9683] vfs_read+0x194/0x3e0 [ 91.013486][ T9683] ksys_read+0x14f/0x290 [ 91.019275][ T9683] __x64_sys_read+0x73/0xb0 [ 91.025320][ T9683] do_syscall_64+0xfd/0x680 [ 91.031363][ T9683] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 91.038791][ T9683] } [ 91.041285][ T9683] ... key at: [] __key.46101+0x0/0x40 [ 91.048798][ T9683] ... acquired at: [ 91.052590][ T9683] mark_lock+0x420/0x1370 [ 91.057071][ T9683] __lock_acquire+0x12df/0x5490 [ 91.062101][ T9683] lock_acquire+0x16f/0x3f0 [ 91.066758][ T9683] _raw_spin_lock+0x2f/0x40 [ 91.071419][ T9683] userfaultfd_release+0x4ca/0x710 [ 91.076685][ T9683] __fput+0x2ff/0x890 [ 91.080851][ T9683] ____fput+0x16/0x20 [ 91.084987][ T9683] task_work_run+0x145/0x1c0 [ 91.089755][ T9683] do_exit+0x90a/0x2fa0 [ 91.094074][ T9683] do_group_exit+0x135/0x370 [ 91.098841][ T9683] get_signal+0x471/0x24b0 [ 91.103417][ T9683] do_signal+0x87/0x1900 [ 91.107815][ T9683] exit_to_usermode_loop+0x244/0x2c0 [ 91.113295][ T9683] do_syscall_64+0x58e/0x680 [ 91.118046][ T9683] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 91.124084][ T9683] [ 91.126385][ T9683] [ 91.126385][ T9683] stack backtrace: [ 91.132302][ T9683] CPU: 1 PID: 9683 Comm: syz-executor833 Not tainted 5.2.0-rc4+ #27 [ 91.140261][ T9683] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 91.150316][ T9683] Call Trace: [ 91.153596][ T9683] dump_stack+0x172/0x1f0 [ 91.157909][ T9683] print_irq_inversion_bug.part.0+0x2c5/0x2d2 [ 91.163984][ T9683] check_usage_backwards.cold+0x1d/0x26 [ 91.169536][ T9683] ? print_shortest_lock_dependencies+0x90/0x90 [ 91.175889][ T9683] ? stack_trace_save+0xac/0xe0 [ 91.180721][ T9683] ? stack_trace_consume_entry+0x190/0x190 [ 91.186681][ T9683] ? kasan_check_write+0x14/0x20 [ 91.191615][ T9683] ? graph_lock+0x7b/0x200 [ 91.196012][ T9683] ? __lockdep_reset_lock+0x450/0x450 [ 91.201366][ T9683] mark_lock+0x420/0x1370 [ 91.205674][ T9683] ? print_shortest_lock_dependencies+0x90/0x90 [ 91.211909][ T9683] __lock_acquire+0x12df/0x5490 [ 91.216742][ T9683] ? kasan_check_write+0x14/0x20 [ 91.221662][ T9683] ? mark_held_locks+0xf0/0xf0 [ 91.226499][ T9683] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 91.232314][ T9683] ? stack_depot_save+0x25a/0x450 [ 91.237324][ T9683] lock_acquire+0x16f/0x3f0 [ 91.241809][ T9683] ? userfaultfd_release+0x4ca/0x710 [ 91.247072][ T9683] _raw_spin_lock+0x2f/0x40 [ 91.251556][ T9683] ? userfaultfd_release+0x4ca/0x710 [ 91.256820][ T9683] userfaultfd_release+0x4ca/0x710 [ 91.261911][ T9683] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 91.267709][ T9683] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 91.273944][ T9683] ? ima_file_free+0xc9/0x4a0 [ 91.278618][ T9683] __fput+0x2ff/0x890 [ 91.282580][ T9683] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 91.288366][ T9683] ____fput+0x16/0x20 [ 91.292325][ T9683] task_work_run+0x145/0x1c0 [ 91.296899][ T9683] do_exit+0x90a/0x2fa0 [ 91.301033][ T9683] ? get_signal+0x387/0x24b0 [ 91.305603][ T9683] ? mm_update_next_owner+0x640/0x640 [ 91.310951][ T9683] ? kasan_check_write+0x14/0x20 [ 91.315867][ T9683] ? _raw_spin_unlock_irq+0x28/0x90 [ 91.321044][ T9683] ? get_signal+0x387/0x24b0 [ 91.325609][ T9683] ? _raw_spin_unlock_irq+0x28/0x90 [ 91.330791][ T9683] do_group_exit+0x135/0x370 [ 91.335364][ T9683] get_signal+0x471/0x24b0 [ 91.339791][ T9683] ? exit_robust_list+0x2c0/0x2c0 [ 91.344806][ T9683] do_signal+0x87/0x1900 [ 91.349028][ T9683] ? lock_downgrade+0x880/0x880 [ 91.353875][ T9683] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 91.360100][ T9683] ? kasan_check_read+0x11/0x20 [ 91.364931][ T9683] ? setup_sigcontext+0x7d0/0x7d0 [ 91.370024][ T9683] ? exit_to_usermode_loop+0x43/0x2c0 [ 91.375373][ T9683] ? do_syscall_64+0x58e/0x680 [ 91.380112][ T9683] ? exit_to_usermode_loop+0x43/0x2c0 [ 91.385481][ T9683] ? lockdep_hardirqs_on+0x418/0x5d0 [ 91.390759][ T9683] ? trace_hardirqs_on+0x67/0x220 [ 91.395776][ T9683] exit_to_usermode_loop+0x244/0x2c0 [ 91.401056][ T9683] do_syscall_64+0x58e/0x680 [ 91.405626][ T9683] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 91.411549][ T9683] RIP: 0033:0x4458f9 [ 91.415432][ T9683] Code: Bad RIP value. [ 91.419492][ T9683] RSP: 002b:00007f464d387db8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 91.427893][ T9683] RAX: fffffffffffffe00 RBX: 00000000006dac58 RCX: 00000000004458f9 [ 91.435861][ T9683] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006d