Warning: Permanently added '10.128.10.14' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 51.078029][ T7987] [ 51.080481][ T7987] ======================================================== [ 51.087662][ T7987] WARNING: possible irq lock inversion dependency detected [ 51.094905][ T7987] 5.1.0-rc2+ #40 Not tainted [ 51.099495][ T7987] -------------------------------------------------------- [ 51.106682][ T7987] syz-executor108/7987 just changed the state of lock: [ 51.113522][ T7987] 0000000035a9db67 (&ctx->fault_pending_wqh){+.+.}, at: userfaultfd_release+0x48e/0x6d0 [ 51.123238][ T7987] but this lock was taken by another, SOFTIRQ-safe lock in the past: [ 51.131378][ T7987] (&(&ctx->ctx_lock)->rlock){..-.} [ 51.131387][ T7987] [ 51.131387][ T7987] [ 51.131387][ T7987] and interrupts could create inverse lock ordering between them. [ 51.131387][ T7987] [ 51.150865][ T7987] [ 51.150865][ T7987] other info that might help us debug this: [ 51.158921][ T7987] Chain exists of: [ 51.158921][ T7987] &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh [ 51.158921][ T7987] [ 51.173142][ T7987] Possible interrupt unsafe locking scenario: [ 51.173142][ T7987] [ 51.181933][ T7987] CPU0 CPU1 [ 51.187283][ T7987] ---- ---- [ 51.192748][ T7987] lock(&ctx->fault_pending_wqh); [ 51.197985][ T7987] local_irq_disable(); [ 51.204730][ T7987] lock(&(&ctx->ctx_lock)->rlock); [ 51.212445][ T7987] lock(&ctx->fd_wqh); [ 51.219125][ T7987] [ 51.222565][ T7987] lock(&(&ctx->ctx_lock)->rlock); [ 51.227921][ T7987] [ 51.227921][ T7987] *** DEADLOCK *** [ 51.227921][ T7987] [ 51.236067][ T7987] no locks held by syz-executor108/7987. [ 51.241709][ T7987] [ 51.241709][ T7987] the shortest dependencies between 2nd lock and 1st lock: [ 51.251173][ T7987] -> (&(&ctx->ctx_lock)->rlock){..-.} { [ 51.256968][ T7987] IN-SOFTIRQ-W at: [ 51.261130][ T7987] lock_acquire+0x16f/0x3f0 [ 51.267638][ T7987] _raw_spin_lock_irq+0x60/0x80 [ 51.274495][ T7987] free_ioctx_users+0x2d/0x4a0 [ 51.281268][ T7987] percpu_ref_switch_to_atomic_rcu+0x3e7/0x520 [ 51.289436][ T7987] rcu_core+0x928/0x1390 [ 51.295686][ T7987] __do_softirq+0x266/0x95a [ 51.302443][ T7987] irq_exit+0x180/0x1d0 [ 51.308601][ T7987] smp_apic_timer_interrupt+0x14a/0x570 [ 51.316241][ T7987] apic_timer_interrupt+0xf/0x20 [ 51.323167][ T7987] native_safe_halt+0x2/0x10 [ 51.329770][ T7987] arch_cpu_idle+0x10/0x20 [ 51.336187][ T7987] default_idle_call+0x36/0x90 [ 51.342938][ T7987] do_idle+0x386/0x570 [ 51.348995][ T7987] cpu_startup_entry+0x1b/0x20 [ 51.356061][ T7987] start_secondary+0x360/0x4d0 [ 51.362832][ T7987] secondary_startup_64+0xa4/0xb0 [ 51.369841][ T7987] INITIAL USE at: [ 51.373921][ T7987] lock_acquire+0x16f/0x3f0 [ 51.381562][ T7987] _raw_spin_lock_irq+0x60/0x80 [ 51.388403][ T7987] io_submit_one+0xe0c/0x1cf0 [ 51.394986][ T7987] __x64_sys_io_submit+0x1bd/0x580 [ 51.402015][ T7987] do_syscall_64+0x103/0x610 [ 51.408510][ T7987] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 51.416313][ T7987] } [ 51.418998][ T7987] ... key at: [] __key.52644+0x0/0x40 [ 51.426606][ T7987] ... acquired at: [ 51.430577][ T7987] lock_acquire+0x16f/0x3f0 [ 51.435237][ T7987] _raw_spin_lock+0x2f/0x40 [ 51.439907][ T7987] io_submit_one+0xe35/0x1cf0 [ 51.444755][ T7987] __x64_sys_io_submit+0x1bd/0x580 [ 51.450222][ T7987] do_syscall_64+0x103/0x610 [ 51.455007][ T7987] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 51.461054][ T7987] [ 51.463371][ T7987] -> (&ctx->fd_wqh){....} { [ 51.467946][ T7987] INITIAL USE at: [ 51.471957][ T7987] lock_acquire+0x16f/0x3f0 [ 51.478274][ T7987] _raw_spin_lock_irq+0x60/0x80 [ 51.484885][ T7987] userfaultfd_read+0x27a/0x1940 [ 51.491554][ T7987] do_iter_read+0x4a9/0x660 [ 51.497798][ T7987] vfs_readv+0xf0/0x160 [ 51.503694][ T7987] do_readv+0xf6/0x290 [ 51.509511][ T7987] __x64_sys_readv+0x75/0xb0 [ 51.517753][ T7987] do_syscall_64+0x103/0x610 [ 51.524398][ T7987] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 51.532032][ T7987] } [ 51.534616][ T7987] ... key at: [] __key.45453+0x0/0x40 [ 51.542293][ T7987] ... acquired at: [ 51.546695][ T7987] lock_acquire+0x16f/0x3f0 [ 51.551376][ T7987] _raw_spin_lock+0x2f/0x40 [ 51.556079][ T7987] userfaultfd_read+0x540/0x1940 [ 51.569618][ T7987] do_iter_read+0x4a9/0x660 [ 51.574286][ T7987] vfs_readv+0xf0/0x160 [ 51.578609][ T7987] do_readv+0xf6/0x290 [ 51.582861][ T7987] __x64_sys_readv+0x75/0xb0 [ 51.587615][ T7987] do_syscall_64+0x103/0x610 [ 51.592368][ T7987] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 51.598550][ T7987] [ 51.608397][ T7987] -> (&ctx->fault_pending_wqh){+.+.} { [ 51.613873][ T7987] HARDIRQ-ON-W at: [ 51.618331][ T7987] lock_acquire+0x16f/0x3f0 [ 51.625111][ T7987] _raw_spin_lock+0x2f/0x40 [ 51.631427][ T7987] userfaultfd_release+0x48e/0x6d0 [ 51.638599][ T7987] __fput+0x2e5/0x8d0 [ 51.644236][ T7987] ____fput+0x16/0x20 [ 51.649880][ T7987] task_work_run+0x14a/0x1c0 [ 51.656128][ T7987] do_exit+0x90a/0x2fa0 [ 51.661925][ T7987] do_group_exit+0x135/0x370 [ 51.668152][ T7987] __x64_sys_exit_group+0x44/0x50 [ 51.674816][ T7987] do_syscall_64+0x103/0x610 [ 51.681047][ T7987] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 51.688587][ T7987] SOFTIRQ-ON-W at: [ 51.692563][ T7987] lock_acquire+0x16f/0x3f0 [ 51.698704][ T7987] _raw_spin_lock+0x2f/0x40 [ 51.704871][ T7987] userfaultfd_release+0x48e/0x6d0 [ 51.711641][ T7987] __fput+0x2e5/0x8d0 [ 51.717433][ T7987] ____fput+0x16/0x20 [ 51.723057][ T7987] task_work_run+0x14a/0x1c0 [ 51.729316][ T7987] do_exit+0x90a/0x2fa0 [ 51.735132][ T7987] do_group_exit+0x135/0x370 [ 51.741389][ T7987] __x64_sys_exit_group+0x44/0x50 [ 51.748065][ T7987] do_syscall_64+0x103/0x610 [ 51.754297][ T7987] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 51.761827][ T7987] INITIAL USE at: [ 51.765722][ T7987] lock_acquire+0x16f/0x3f0 [ 51.771789][ T7987] _raw_spin_lock+0x2f/0x40 [ 51.778013][ T7987] userfaultfd_read+0x540/0x1940 [ 51.784525][ T7987] do_iter_read+0x4a9/0x660 [ 51.790604][ T7987] vfs_readv+0xf0/0x160 [ 51.796325][ T7987] do_readv+0xf6/0x290 [ 51.801963][ T7987] __x64_sys_readv+0x75/0xb0 [ 51.808123][ T7987] do_syscall_64+0x103/0x610 [ 51.814286][ T7987] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 51.821748][ T7987] } [ 51.824244][ T7987] ... key at: [] __key.45450+0x0/0x40 [ 51.831678][ T7987] ... acquired at: [ 51.835502][ T7987] mark_lock+0x427/0x1380 [ 51.840054][ T7987] __lock_acquire+0x1317/0x3fb0 [ 51.845070][ T7987] lock_acquire+0x16f/0x3f0 [ 51.849758][ T7987] _raw_spin_lock+0x2f/0x40 [ 51.854429][ T7987] userfaultfd_release+0x48e/0x6d0 [ 51.859727][ T7987] __fput+0x2e5/0x8d0 [ 51.864319][ T7987] ____fput+0x16/0x20 [ 51.868468][ T7987] task_work_run+0x14a/0x1c0 [ 51.873250][ T7987] do_exit+0x90a/0x2fa0 [ 51.877567][ T7987] do_group_exit+0x135/0x370 [ 51.882326][ T7987] __x64_sys_exit_group+0x44/0x50 [ 51.887510][ T7987] do_syscall_64+0x103/0x610 [ 51.892265][ T7987] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 51.898332][ T7987] [ 51.900922][ T7987] [ 51.900922][ T7987] stack backtrace: [ 51.906826][ T7987] CPU: 1 PID: 7987 Comm: syz-executor108 Not tainted 5.1.0-rc2+ #40 [ 51.916206][ T7987] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.926251][ T7987] Call Trace: [ 51.929556][ T7987] dump_stack+0x172/0x1f0 [ 51.933890][ T7987] print_irq_inversion_bug.part.0+0x2c0/0x2cd [ 51.940019][ T7987] check_usage_backwards.cold+0x1d/0x26 [ 51.945591][ T7987] ? print_shortest_lock_dependencies+0x90/0x90 [ 51.951847][ T7987] ? save_stack_trace+0x1a/0x20 [ 51.956692][ T7987] mark_lock+0x427/0x1380 [ 51.961042][ T7987] ? print_shortest_lock_dependencies+0x90/0x90 [ 51.967289][ T7987] __lock_acquire+0x1317/0x3fb0 [ 51.972166][ T7987] ? __save_stack_trace+0x99/0x100 [ 51.977310][ T7987] ? mark_held_locks+0xf0/0xf0 [ 51.982073][ T7987] ? save_stack+0xa9/0xd0 [ 51.986393][ T7987] ? save_stack+0x45/0xd0 [ 51.990715][ T7987] ? __kasan_slab_free+0x102/0x150 [ 51.995820][ T7987] ? kasan_slab_free+0xe/0x10 [ 52.000492][ T7987] ? kmem_cache_free+0x86/0x260 [ 52.005341][ T7987] ? free_fs_struct+0x4f/0x70 [ 52.010007][ T7987] ? exit_fs+0xf0/0x130 [ 52.014157][ T7987] lock_acquire+0x16f/0x3f0 [ 52.018669][ T7987] ? userfaultfd_release+0x48e/0x6d0 [ 52.023956][ T7987] _raw_spin_lock+0x2f/0x40 [ 52.028674][ T7987] ? userfaultfd_release+0x48e/0x6d0 [ 52.033983][ T7987] userfaultfd_release+0x48e/0x6d0 [ 52.039096][ T7987] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 52.044930][ T7987] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 52.051183][ T7987] ? ima_file_free+0xc9/0x4a0 [ 52.055854][ T7987] ? __might_sleep+0x95/0x190 [ 52.060548][ T7987] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 52.066371][ T7987] __fput+0x2e5/0x8d0 [ 52.070349][ T7987] ____fput+0x16/0x20 [ 52.074415][ T7987] task_work_run+0x14a/0x1c0 [ 52.079010][ T7987] do_exit+0x90a/0x2fa0 [ 52.083162][ T7987] ? find_held_lock+0x35/0x130 [ 52.088012][ T7987] ? do_group_exit+0x2e9/0x370 [ 52.092791][ T7987] ? mm_update_next_owner+0x640/0x640 [ 52.098158][ T7987] ? _raw_spin_unlock_irq+0x28/0x90 [ 52.103352][ T7987] ? do_group_exit+0x2e9/0x370 [ 52.108122][ T7987] ? _raw_spin_unlock_irq+0x28/0x90 [ 52.113342][ T7987] ? lockdep_hardirqs_on+0x418/0x5d0 [ 52.118627][ T7987] ? trace_hardirqs_on+0x67/0x230 [ 52.123663][ T7987] ? kasan_check_read+0x11/0x20 [ 52.128622][ T7987] do_group_exit+0x135/0x370 [ 52.133236][ T7987] __x64_sys_exit_group+0x44/0x50 [ 52.138268][ T7987] do_syscall_64+0x103/0x610 [ 52.142851][ T7987] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.148739][ T7987] RIP: 0033:0x444478 [ 52.152628][ T7987] Code: Bad RIP value. [ 52.156709][ T7987] RSP: 002b:00007fff5b3bad18 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 52.165132][ T7987] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000444478 [ 52.173619][ T7987] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [