[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 62.357353][ T26] audit: type=1800 audit(1558014463.067:25): pid=9008 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 62.401072][ T26] audit: type=1800 audit(1558014463.067:26): pid=9008 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 62.458586][ T26] audit: type=1800 audit(1558014463.067:27): pid=9008 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.1.53' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 73.452278][ T9163] [ 73.454648][ T9163] ======================================================== [ 73.461826][ T9163] WARNING: possible irq lock inversion dependency detected [ 73.469000][ T9163] 5.1.0+ #16 Not tainted [ 73.473219][ T9163] -------------------------------------------------------- [ 73.480392][ T9163] syz-executor462/9163 just changed the state of lock: [ 73.487220][ T9163] 00000000d4e13932 (&ctx->fault_pending_wqh){+.+.}, at: userfaultfd_release+0x4ca/0x710 [ 73.496948][ T9163] but this lock was taken by another, SOFTIRQ-safe lock in the past: [ 73.504987][ T9163] (&(&ctx->ctx_lock)->rlock){..-.} [ 73.504994][ T9163] [ 73.504994][ T9163] [ 73.504994][ T9163] and interrupts could create inverse lock ordering between them. [ 73.504994][ T9163] [ 73.524456][ T9163] [ 73.524456][ T9163] other info that might help us debug this: [ 73.532500][ T9163] Chain exists of: [ 73.532500][ T9163] &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh [ 73.532500][ T9163] [ 73.546720][ T9163] Possible interrupt unsafe locking scenario: [ 73.546720][ T9163] [ 73.555026][ T9163] CPU0 CPU1 [ 73.560371][ T9163] ---- ---- [ 73.565717][ T9163] lock(&ctx->fault_pending_wqh); [ 73.570810][ T9163] local_irq_disable(); [ 73.577545][ T9163] lock(&(&ctx->ctx_lock)->rlock); [ 73.585239][ T9163] lock(&ctx->fd_wqh); [ 73.591896][ T9163] [ 73.595331][ T9163] lock(&(&ctx->ctx_lock)->rlock); [ 73.600675][ T9163] [ 73.600675][ T9163] *** DEADLOCK *** [ 73.600675][ T9163] [ 73.608824][ T9163] no locks held by syz-executor462/9163. [ 73.614429][ T9163] [ 73.614429][ T9163] the shortest dependencies between 2nd lock and 1st lock: [ 73.623800][ T9163] -> (&(&ctx->ctx_lock)->rlock){..-.} { [ 73.629501][ T9163] IN-SOFTIRQ-W at: [ 73.633850][ T9163] lock_acquire+0x16f/0x3f0 [ 73.645469][ T9163] _raw_spin_lock_irq+0x60/0x80 [ 73.652304][ T9163] free_ioctx_users+0x2d/0x4a0 [ 73.659058][ T9163] percpu_ref_switch_to_atomic_rcu+0x3e7/0x520 [ 73.667207][ T9163] rcu_core+0xbac/0x1510 [ 73.673451][ T9163] __do_softirq+0x266/0x95a [ 73.679936][ T9163] irq_exit+0x180/0x1d0 [ 73.686071][ T9163] smp_apic_timer_interrupt+0x14a/0x570 [ 73.693599][ T9163] apic_timer_interrupt+0xf/0x20 [ 73.700532][ T9163] native_safe_halt+0xe/0x10 [ 73.707107][ T9163] arch_cpu_idle+0x10/0x20 [ 73.713507][ T9163] default_idle_call+0x36/0x90 [ 73.720256][ T9163] do_idle+0x377/0x560 [ 73.726324][ T9163] cpu_startup_entry+0x1b/0x20 [ 73.733069][ T9163] rest_init+0x245/0x37b [ 73.739298][ T9163] arch_call_rest_init+0xe/0x1b [ 73.746152][ T9163] start_kernel+0x857/0x896 [ 73.752649][ T9163] x86_64_start_reservations+0x29/0x2b [ 73.760127][ T9163] x86_64_start_kernel+0x77/0x7b [ 73.767055][ T9163] secondary_startup_64+0xa4/0xb0 [ 73.774057][ T9163] INITIAL USE at: [ 73.778142][ T9163] lock_acquire+0x16f/0x3f0 [ 73.784574][ T9163] _raw_spin_lock_irq+0x60/0x80 [ 73.791321][ T9163] io_submit_one+0xae2/0x2f40 [ 73.797903][ T9163] __ia32_compat_sys_io_submit+0x1be/0x570 [ 73.805608][ T9163] do_fast_syscall_32+0x281/0xd83 [ 73.812847][ T9163] entry_SYSENTER_compat+0x70/0x7f [ 73.819913][ T9163] } [ 73.822579][ T9163] ... key at: [] __key.53373+0x0/0x40 [ 73.830206][ T9163] ... acquired at: [ 73.834179][ T9163] _raw_spin_lock+0x2f/0x40 [ 73.838842][ T9163] io_submit_one+0xb27/0x2f40 [ 73.843698][ T9163] __ia32_compat_sys_io_submit+0x1be/0x570 [ 73.850146][ T9163] do_fast_syscall_32+0x281/0xd83 [ 73.855363][ T9163] entry_SYSENTER_compat+0x70/0x7f [ 73.861836][ T9163] [ 73.864192][ T9163] -> (&ctx->fd_wqh){....} { [ 73.868776][ T9163] INITIAL USE at: [ 73.872745][ T9163] lock_acquire+0x16f/0x3f0 [ 73.879146][ T9163] _raw_spin_lock_irq+0x60/0x80 [ 73.885748][ T9163] userfaultfd_read+0x27a/0x1940 [ 73.892743][ T9163] __vfs_read+0x8d/0x110 [ 73.899060][ T9163] vfs_read+0x194/0x3e0 [ 73.904949][ T9163] ksys_read+0x14f/0x290 [ 73.910930][ T9163] __ia32_sys_read+0x71/0xb0 [ 73.917246][ T9163] do_fast_syscall_32+0x281/0xd83 [ 73.923994][ T9163] entry_SYSENTER_compat+0x70/0x7f [ 73.930818][ T9163] } [ 73.933392][ T9163] ... key at: [] __key.46046+0x0/0x40 [ 73.940920][ T9163] ... acquired at: [ 73.944801][ T9163] _raw_spin_lock+0x2f/0x40 [ 73.949455][ T9163] userfaultfd_read+0x540/0x1940 [ 73.954565][ T9163] __vfs_read+0x8d/0x110 [ 73.958962][ T9163] vfs_read+0x194/0x3e0 [ 73.963267][ T9163] ksys_read+0x14f/0x290 [ 73.967682][ T9163] __ia32_sys_read+0x71/0xb0 [ 73.972437][ T9163] do_fast_syscall_32+0x281/0xd83 [ 73.977623][ T9163] entry_SYSENTER_compat+0x70/0x7f [ 73.982879][ T9163] [ 73.985189][ T9163] -> (&ctx->fault_pending_wqh){+.+.} { [ 73.990628][ T9163] HARDIRQ-ON-W at: [ 73.994615][ T9163] lock_acquire+0x16f/0x3f0 [ 74.000766][ T9163] _raw_spin_lock+0x2f/0x40 [ 74.006925][ T9163] userfaultfd_release+0x4ca/0x710 [ 74.013682][ T9163] __fput+0x302/0x890 [ 74.019295][ T9163] ____fput+0x16/0x20 [ 74.024910][ T9163] task_work_run+0x14a/0x1c0 [ 74.031134][ T9163] do_exit+0x90a/0x2fa0 [ 74.036921][ T9163] do_group_exit+0x135/0x370 [ 74.043143][ T9163] get_signal+0x41e/0x2250 [ 74.049212][ T9163] do_signal+0x87/0x1900 [ 74.055089][ T9163] exit_to_usermode_loop+0x244/0x2c0 [ 74.062010][ T9163] do_fast_syscall_32+0xb57/0xd83 [ 74.068671][ T9163] entry_SYSENTER_compat+0x70/0x7f [ 74.075409][ T9163] SOFTIRQ-ON-W at: [ 74.079382][ T9163] lock_acquire+0x16f/0x3f0 [ 74.085519][ T9163] _raw_spin_lock+0x2f/0x40 [ 74.091652][ T9163] userfaultfd_release+0x4ca/0x710 [ 74.098401][ T9163] __fput+0x302/0x890 [ 74.104016][ T9163] ____fput+0x16/0x20 [ 74.109625][ T9163] task_work_run+0x14a/0x1c0 [ 74.115842][ T9163] do_exit+0x90a/0x2fa0 [ 74.122714][ T9163] do_group_exit+0x135/0x370 [ 74.128931][ T9163] get_signal+0x41e/0x2250 [ 74.134977][ T9163] do_signal+0x87/0x1900 [ 74.140854][ T9163] exit_to_usermode_loop+0x244/0x2c0 [ 74.147776][ T9163] do_fast_syscall_32+0xb57/0xd83 [ 74.154436][ T9163] entry_SYSENTER_compat+0x70/0x7f [ 74.161178][ T9163] INITIAL USE at: [ 74.165067][ T9163] lock_acquire+0x16f/0x3f0 [ 74.171119][ T9163] _raw_spin_lock+0x2f/0x40 [ 74.177174][ T9163] userfaultfd_read+0x540/0x1940 [ 74.183656][ T9163] __vfs_read+0x8d/0x110 [ 74.189443][ T9163] vfs_read+0x194/0x3e0 [ 74.195152][ T9163] ksys_read+0x14f/0x290 [ 74.200938][ T9163] __ia32_sys_read+0x71/0xb0 [ 74.207085][ T9163] do_fast_syscall_32+0x281/0xd83 [ 74.213655][ T9163] entry_SYSENTER_compat+0x70/0x7f [ 74.220304][ T9163] } [ 74.222791][ T9163] ... key at: [] __key.46043+0x0/0x40 [ 74.230219][ T9163] ... acquired at: [ 74.234021][ T9163] mark_lock+0x423/0x1380 [ 74.238503][ T9163] __lock_acquire+0x12df/0x5490 [ 74.243504][ T9163] lock_acquire+0x16f/0x3f0 [ 74.248159][ T9163] _raw_spin_lock+0x2f/0x40 [ 74.252817][ T9163] userfaultfd_release+0x4ca/0x710 [ 74.258085][ T9163] __fput+0x302/0x890 [ 74.262217][ T9163] ____fput+0x16/0x20 [ 74.266351][ T9163] task_work_run+0x14a/0x1c0 [ 74.271106][ T9163] do_exit+0x90a/0x2fa0 [ 74.275415][ T9163] do_group_exit+0x135/0x370 [ 74.280156][ T9163] get_signal+0x41e/0x2250 [ 74.284729][ T9163] do_signal+0x87/0x1900 [ 74.289121][ T9163] exit_to_usermode_loop+0x244/0x2c0 [ 74.294559][ T9163] do_fast_syscall_32+0xb57/0xd83 [ 74.299748][ T9163] entry_SYSENTER_compat+0x70/0x7f [ 74.305005][ T9163] [ 74.307307][ T9163] [ 74.307307][ T9163] stack backtrace: [ 74.313181][ T9163] CPU: 0 PID: 9163 Comm: syz-executor462 Not tainted 5.1.0+ #16 [ 74.320793][ T9163] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 74.330836][ T9163] Call Trace: [ 74.334114][ T9163] dump_stack+0x172/0x1f0 [ 74.338428][ T9163] print_irq_inversion_bug.part.0+0x2c5/0x2d2 [ 74.344484][ T9163] check_usage_backwards.cold+0x1d/0x26 [ 74.350015][ T9163] ? print_shortest_lock_dependencies+0x90/0x90 [ 74.356234][ T9163] ? stack_trace_save+0xac/0xe0 [ 74.361065][ T9163] ? stack_trace_consume_entry+0x190/0x190 [ 74.366875][ T9163] ? kasan_check_write+0x14/0x20 [ 74.371804][ T9163] ? graph_lock+0x7b/0x200 [ 74.376199][ T9163] ? __lockdep_reset_lock+0x450/0x450 [ 74.381576][ T9163] mark_lock+0x423/0x1380 [ 74.385907][ T9163] ? print_shortest_lock_dependencies+0x90/0x90 [ 74.392129][ T9163] __lock_acquire+0x12df/0x5490 [ 74.396962][ T9163] ? kasan_check_write+0x14/0x20 [ 74.401883][ T9163] ? mark_held_locks+0xf0/0xf0 [ 74.406639][ T9163] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 74.412427][ T9163] ? stack_depot_save+0x25a/0x450 [ 74.417434][ T9163] lock_acquire+0x16f/0x3f0 [ 74.421929][ T9163] ? userfaultfd_release+0x4ca/0x710 [ 74.427218][ T9163] _raw_spin_lock+0x2f/0x40 [ 74.431709][ T9163] ? userfaultfd_release+0x4ca/0x710 [ 74.436977][ T9163] userfaultfd_release+0x4ca/0x710 [ 74.442080][ T9163] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 74.447876][ T9163] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 74.454109][ T9163] ? ima_file_free+0xc9/0x4a0 [ 74.458774][ T9163] __fput+0x302/0x890 [ 74.462738][ T9163] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 74.468539][ T9163] ____fput+0x16/0x20 [ 74.472502][ T9163] task_work_run+0x14a/0x1c0 [ 74.477073][ T9163] do_exit+0x90a/0x2fa0 [ 74.481208][ T9163] ? get_signal+0x334/0x2250 [ 74.485776][ T9163] ? mm_update_next_owner+0x640/0x640 [ 74.491140][ T9163] ? kasan_check_write+0x14/0x20 [ 74.496065][ T9163] ? _raw_spin_unlock_irq+0x28/0x90 [ 74.501244][ T9163] ? get_signal+0x334/0x2250 [ 74.505817][ T9163] ? _raw_spin_unlock_irq+0x28/0x90 [ 74.510996][ T9163] do_group_exit+0x135/0x370 [ 74.515566][ T9163] get_signal+0x41e/0x2250 [ 74.519962][ T9163] ? exit_robust_list+0x2c0/0x2c0 [ 74.524972][ T9163] ? __ia32_compat_sys_io_submit+0x2fe/0x570 [ 74.530936][ T9163] do_signal+0x87/0x1900 [ 74.535161][ T9163] ? lock_downgrade+0x880/0x880 [ 74.539998][ T9163] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 74.546228][ T9163] ? setup_sigcontext+0x7d0/0x7d0 [ 74.551240][ T9163] ? exit_to_usermode_loop+0x43/0x2c0 [ 74.556597][ T9163] ? do_fast_syscall_32+0xb57/0xd83 [ 74.561781][ T9163] ? exit_to_usermode_loop+0x43/0x2c0 [ 74.567135][ T9163] ? lockdep_hardirqs_on+0x418/0x5d0 [ 74.572404][ T9163] ? trace_hardirqs_on+0x67/0x230 [ 74.577432][ T9163] exit_to_usermode_loop+0x244/0x2c0 [ 74.582707][ T9163] do_fast_syscall_32+0xb57/0xd83 [ 74.587719][ T9163] entry_SYSENTER_compat+0x70/0x7f [ 74.592837][ T9163] RIP: 0023:0xf7f9d849 [ 74.596901][ T9163] Code: Bad RIP value. [ 74.600945][ T9163] RSP: 002b:00000000f7f781ec EFLAGS: 00000296 ORIG_RAX: