[ 38.224768][ T26] audit: type=1800 audit(1554517965.536:27): pid=7701 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [ 38.247854][ T26] audit: type=1800 audit(1554517965.536:28): pid=7701 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 39.105981][ T26] audit: type=1800 audit(1554517966.466:29): pid=7701 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 39.132827][ T26] audit: type=1800 audit(1554517966.466:30): pid=7701 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.113' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 73.061504][ T7854] [ 73.063868][ T7854] ======================================================== [ 73.071044][ T7854] WARNING: possible irq lock inversion dependency detected [ 73.078223][ T7854] 5.1.0-rc3+ #53 Not tainted [ 73.082808][ T7854] -------------------------------------------------------- [ 73.090043][ T7854] syz-executor350/7854 just changed the state of lock: [ 73.096879][ T7854] 000000004a949626 (&ctx->fault_pending_wqh){+.+.}, at: userfaultfd_release+0x48e/0x6d0 [ 73.106606][ T7854] but this lock was taken by another, SOFTIRQ-safe lock in the past: [ 73.114681][ T7854] (&(&ctx->ctx_lock)->rlock){..-.} [ 73.114690][ T7854] [ 73.114690][ T7854] [ 73.114690][ T7854] and interrupts could create inverse lock ordering between them. [ 73.114690][ T7854] [ 73.134182][ T7854] [ 73.134182][ T7854] other info that might help us debug this: [ 73.142227][ T7854] Chain exists of: [ 73.142227][ T7854] &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh [ 73.142227][ T7854] [ 73.156445][ T7854] Possible interrupt unsafe locking scenario: [ 73.156445][ T7854] [ 73.164749][ T7854] CPU0 CPU1 [ 73.170098][ T7854] ---- ---- [ 73.175446][ T7854] lock(&ctx->fault_pending_wqh); [ 73.180538][ T7854] local_irq_disable(); [ 73.187274][ T7854] lock(&(&ctx->ctx_lock)->rlock); [ 73.194970][ T7854] lock(&ctx->fd_wqh); [ 73.201664][ T7854] [ 73.205102][ T7854] lock(&(&ctx->ctx_lock)->rlock); [ 73.210446][ T7854] [ 73.210446][ T7854] *** DEADLOCK *** [ 73.210446][ T7854] [ 73.218577][ T7854] no locks held by syz-executor350/7854. [ 73.224189][ T7854] [ 73.224189][ T7854] the shortest dependencies between 2nd lock and 1st lock: [ 73.233534][ T7854] -> (&(&ctx->ctx_lock)->rlock){..-.} { [ 73.239235][ T7854] IN-SOFTIRQ-W at: [ 73.243381][ T7854] lock_acquire+0x16f/0x3f0 [ 73.249865][ T7854] _raw_spin_lock_irq+0x60/0x80 [ 73.256704][ T7854] free_ioctx_users+0x2d/0x4a0 [ 73.263446][ T7854] percpu_ref_switch_to_atomic_rcu+0x3e7/0x520 [ 73.271579][ T7854] rcu_core+0x928/0x1390 [ 73.277799][ T7854] __do_softirq+0x266/0x95a [ 73.284296][ T7854] irq_exit+0x180/0x1d0 [ 73.290430][ T7854] smp_apic_timer_interrupt+0x14a/0x570 [ 73.297952][ T7854] apic_timer_interrupt+0xf/0x20 [ 73.304868][ T7854] native_safe_halt+0x2/0x10 [ 73.311436][ T7854] arch_cpu_idle+0x10/0x20 [ 73.317835][ T7854] default_idle_call+0x36/0x90 [ 73.324603][ T7854] do_idle+0x386/0x570 [ 73.330698][ T7854] cpu_startup_entry+0x1b/0x20 [ 73.337462][ T7854] start_secondary+0x360/0x4d0 [ 73.344212][ T7854] secondary_startup_64+0xa4/0xb0 [ 73.351211][ T7854] INITIAL USE at: [ 73.355266][ T7854] lock_acquire+0x16f/0x3f0 [ 73.361663][ T7854] _raw_spin_lock_irq+0x60/0x80 [ 73.368407][ T7854] io_submit_one+0xaec/0x2f90 [ 73.374981][ T7854] __ia32_compat_sys_io_submit+0x1be/0x570 [ 73.382769][ T7854] do_fast_syscall_32+0x281/0xc98 [ 73.389708][ T7854] entry_SYSENTER_compat+0x70/0x7f [ 73.396813][ T7854] } [ 73.399483][ T7854] ... key at: [] __key.52649+0x0/0x40 [ 73.407110][ T7854] ... acquired at: [ 73.411098][ T7854] lock_acquire+0x16f/0x3f0 [ 73.415757][ T7854] _raw_spin_lock+0x2f/0x40 [ 73.420529][ T7854] io_submit_one+0xb31/0x2f90 [ 73.425386][ T7854] __ia32_compat_sys_io_submit+0x1be/0x570 [ 73.431412][ T7854] do_fast_syscall_32+0x281/0xc98 [ 73.436592][ T7854] entry_SYSENTER_compat+0x70/0x7f [ 73.441848][ T7854] [ 73.444154][ T7854] -> (&ctx->fd_wqh){....} { [ 73.448725][ T7854] INITIAL USE at: [ 73.452700][ T7854] lock_acquire+0x16f/0x3f0 [ 73.458923][ T7854] _raw_spin_lock_irqsave+0x95/0xcd [ 73.465851][ T7854] add_wait_queue+0x4c/0x170 [ 73.472247][ T7854] aio_poll_queue_proc+0x9e/0x110 [ 73.478992][ T7854] userfaultfd_poll+0x93/0x220 [ 73.485473][ T7854] io_submit_one+0xa8a/0x2f90 [ 73.491971][ T7854] __ia32_compat_sys_io_submit+0x1be/0x570 [ 73.499509][ T7854] do_fast_syscall_32+0x281/0xc98 [ 73.506256][ T7854] entry_SYSENTER_compat+0x70/0x7f [ 73.513082][ T7854] } [ 73.515757][ T7854] ... key at: [] __key.45459+0x0/0x40 [ 73.523278][ T7854] ... acquired at: [ 73.527154][ T7854] lock_acquire+0x16f/0x3f0 [ 73.531876][ T7854] _raw_spin_lock+0x2f/0x40 [ 73.536540][ T7854] userfaultfd_read+0x540/0x1940 [ 73.541729][ T7854] __vfs_read+0x8d/0x110 [ 73.546223][ T7854] vfs_read+0x194/0x3e0 [ 73.550538][ T7854] ksys_read+0xea/0x1f0 [ 73.554956][ T7854] __ia32_sys_read+0x71/0xb0 [ 73.559750][ T7854] do_fast_syscall_32+0x281/0xc98 [ 73.565028][ T7854] entry_SYSENTER_compat+0x70/0x7f [ 73.570301][ T7854] [ 73.572608][ T7854] -> (&ctx->fault_pending_wqh){+.+.} { [ 73.578122][ T7854] HARDIRQ-ON-W at: [ 73.582099][ T7854] lock_acquire+0x16f/0x3f0 [ 73.588242][ T7854] _raw_spin_lock+0x2f/0x40 [ 73.594388][ T7854] userfaultfd_release+0x48e/0x6d0 [ 73.601135][ T7854] __fput+0x2e5/0x8d0 [ 73.606756][ T7854] ____fput+0x16/0x20 [ 73.612482][ T7854] task_work_run+0x14a/0x1c0 [ 73.618712][ T7854] do_exit+0x90a/0x2fa0 [ 73.624520][ T7854] do_group_exit+0x135/0x370 [ 73.630757][ T7854] get_signal+0x399/0x1d50 [ 73.636868][ T7854] do_signal+0x87/0x1940 [ 73.642753][ T7854] exit_to_usermode_loop+0x244/0x2c0 [ 73.649855][ T7854] do_fast_syscall_32+0xa9d/0xc98 [ 73.656611][ T7854] entry_SYSENTER_compat+0x70/0x7f [ 73.663354][ T7854] SOFTIRQ-ON-W at: [ 73.667323][ T7854] lock_acquire+0x16f/0x3f0 [ 73.673670][ T7854] _raw_spin_lock+0x2f/0x40 [ 73.679842][ T7854] userfaultfd_release+0x48e/0x6d0 [ 73.686586][ T7854] __fput+0x2e5/0x8d0 [ 73.692202][ T7854] ____fput+0x16/0x20 [ 73.697829][ T7854] task_work_run+0x14a/0x1c0 [ 73.704057][ T7854] do_exit+0x90a/0x2fa0 [ 73.709853][ T7854] do_group_exit+0x135/0x370 [ 73.716081][ T7854] get_signal+0x399/0x1d50 [ 73.722138][ T7854] do_signal+0x87/0x1940 [ 73.729254][ T7854] exit_to_usermode_loop+0x244/0x2c0 [ 73.736286][ T7854] do_fast_syscall_32+0xa9d/0xc98 [ 73.742949][ T7854] entry_SYSENTER_compat+0x70/0x7f [ 73.749688][ T7854] INITIAL USE at: [ 73.753574][ T7854] lock_acquire+0x16f/0x3f0 [ 73.759637][ T7854] _raw_spin_lock+0x2f/0x40 [ 73.765693][ T7854] userfaultfd_read+0x540/0x1940 [ 73.772178][ T7854] __vfs_read+0x8d/0x110 [ 73.777973][ T7854] vfs_read+0x194/0x3e0 [ 73.783796][ T7854] ksys_read+0xea/0x1f0 [ 73.789553][ T7854] __ia32_sys_read+0x71/0xb0 [ 73.795696][ T7854] do_fast_syscall_32+0x281/0xc98 [ 73.802266][ T7854] entry_SYSENTER_compat+0x70/0x7f [ 73.808913][ T7854] } [ 73.811402][ T7854] ... key at: [] __key.45456+0x0/0x40 [ 73.818938][ T7854] ... acquired at: [ 73.822734][ T7854] mark_lock+0x427/0x1380 [ 73.827220][ T7854] __lock_acquire+0x1317/0x3fb0 [ 73.835331][ T7854] lock_acquire+0x16f/0x3f0 [ 73.839999][ T7854] _raw_spin_lock+0x2f/0x40 [ 73.844874][ T7854] userfaultfd_release+0x48e/0x6d0 [ 73.850143][ T7854] __fput+0x2e5/0x8d0 [ 73.854280][ T7854] ____fput+0x16/0x20 [ 73.858414][ T7854] task_work_run+0x14a/0x1c0 [ 73.863215][ T7854] do_exit+0x90a/0x2fa0 [ 73.867715][ T7854] do_group_exit+0x135/0x370 [ 73.872505][ T7854] get_signal+0x399/0x1d50 [ 73.877077][ T7854] do_signal+0x87/0x1940 [ 73.887368][ T7854] exit_to_usermode_loop+0x244/0x2c0 [ 73.892811][ T7854] do_fast_syscall_32+0xa9d/0xc98 [ 73.897999][ T7854] entry_SYSENTER_compat+0x70/0x7f [ 73.903264][ T7854] [ 73.905566][ T7854] [ 73.905566][ T7854] stack backtrace: [ 73.911436][ T7854] CPU: 1 PID: 7854 Comm: syz-executor350 Not tainted 5.1.0-rc3+ #53 [ 73.919386][ T7854] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 73.929437][ T7854] Call Trace: [ 73.932761][ T7854] dump_stack+0x172/0x1f0 [ 73.937085][ T7854] print_irq_inversion_bug.part.0+0x2c0/0x2cd [ 73.943137][ T7854] check_usage_backwards.cold+0x1d/0x26 [ 73.948667][ T7854] ? print_shortest_lock_dependencies+0x90/0x90 [ 73.954887][ T7854] ? save_stack_trace+0x1a/0x20 [ 73.959767][ T7854] ? depot_save_stack+0x1de/0x460 [ 73.964777][ T7854] mark_lock+0x427/0x1380 [ 73.969083][ T7854] ? print_shortest_lock_dependencies+0x90/0x90 [ 73.975425][ T7854] __lock_acquire+0x1317/0x3fb0 [ 73.980259][ T7854] ? trace_hardirqs_off+0x62/0x220 [ 73.985416][ T7854] ? kasan_check_read+0x11/0x20 [ 73.990373][ T7854] ? mark_held_locks+0xf0/0xf0 [ 73.995238][ T7854] ? save_stack+0xa9/0xd0 [ 73.999613][ T7854] ? save_stack+0x45/0xd0 [ 74.003965][ T7854] ? __kasan_slab_free+0x102/0x150 [ 74.009063][ T7854] ? kasan_slab_free+0xe/0x10 [ 74.013718][ T7854] ? kmem_cache_free+0x86/0x260 [ 74.018588][ T7854] ? free_fs_struct+0x4f/0x70 [ 74.023252][ T7854] ? exit_fs+0xf0/0x130 [ 74.027388][ T7854] lock_acquire+0x16f/0x3f0 [ 74.031871][ T7854] ? userfaultfd_release+0x48e/0x6d0 [ 74.037309][ T7854] _raw_spin_lock+0x2f/0x40 [ 74.041847][ T7854] ? userfaultfd_release+0x48e/0x6d0 [ 74.047124][ T7854] userfaultfd_release+0x48e/0x6d0 [ 74.052222][ T7854] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 74.058060][ T7854] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 74.064377][ T7854] ? ima_file_free+0xc9/0x4a0 [ 74.069039][ T7854] ? __might_sleep+0x95/0x190 [ 74.073807][ T7854] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 74.079602][ T7854] __fput+0x2e5/0x8d0 [ 74.083568][ T7854] ____fput+0x16/0x20 [ 74.087579][ T7854] task_work_run+0x14a/0x1c0 [ 74.092160][ T7854] do_exit+0x90a/0x2fa0 [ 74.096363][ T7854] ? get_signal+0x331/0x1d50 [ 74.100944][ T7854] ? mm_update_next_owner+0x640/0x640 [ 74.106489][ T7854] ? kasan_check_write+0x14/0x20 [ 74.111480][ T7854] ? _raw_spin_unlock_irq+0x28/0x90 [ 74.116665][ T7854] ? get_signal+0x331/0x1d50 [ 74.121240][ T7854] ? _raw_spin_unlock_irq+0x28/0x90 [ 74.126444][ T7854] do_group_exit+0x135/0x370 [ 74.131018][ T7854] get_signal+0x399/0x1d50 [ 74.135459][ T7854] ? fsnotify+0xbc0/0xbc0 [ 74.139777][ T7854] ? fsnotify_first_mark+0x210/0x210 [ 74.145051][ T7854] do_signal+0x87/0x1940 [ 74.149278][ T7854] ? __vfs_read+0x95/0x110 [ 74.153679][ T7854] ? userfaultfd_event_wait_completion+0xa50/0xa50 [ 74.160187][ T7854] ? setup_sigcontext+0x7d0/0x7d0 [ 74.165294][ T7854] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 74.171520][ T7854] ? vfs_read+0x15d/0x3e0 [ 74.175843][ T7854] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 74.182073][ T7854] ? ksys_read+0x166/0x1f0 [ 74.186470][ T7854] ? exit_to_usermode_loop+0x43/0x2c0 [ 74.191834][ T7854] ? do_fast_syscall_32+0xa9d/0xc98 [ 74.197021][ T7854] ? exit_to_usermode_loop+0x43/0x2c0 [ 74.202380][ T7854] ? lockdep_hardirqs_on+0x418/0x5d0 [ 74.207650][ T7854] ? trace_hardirqs_on+0x67/0x230 [ 74.212662][ T7854] exit_to_usermode_loop+0x244/0x2c0 [ 74.217933][ T7854] do_fast_syscall_32+0xa9d/0xc98 [ 74.222945][ T7854] entry_SYSENTER_compat+0x70/0x7f [ 74.228039][ T7854] RIP: 0023:0xf7f76869 [ 74.232092][ T7854] Code: Bad RIP value. [ 74.236132][ T7854] RSP: 002b:00000000ff9db0ec EFLAGS: 00000217 ORIG_RAX: 0000000000000003 [ 74.244521][ T7854] RAX: fffffffffffffe00 RBX: 0000000000000004 RCX: 0000000020000180 [ 74.252475][ T7854] RDX: 0000000000000107 RSI: 0000000000000036 RDI: 0000000000000004 executing program [ 74.260428][ T7854] RBP: 00000000c018aa3f R08: 0000000000000000 R09: 0000000000000000 [ 74.268463][ T7854] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 74.276885][ T7854] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 executing program