[ 66.423679][ T26] audit: type=1800 audit(1560720399.154:25): pid=9020 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 66.448925][ T26] audit: type=1800 audit(1560720399.184:26): pid=9020 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 66.487473][ T26] audit: type=1800 audit(1560720399.184:27): pid=9020 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] startpar: service(s) returned failure: ssh ...[?25l[?1c7[FAIL8[?25h[?0c failed! Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.149' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 83.288462][ T9198] [ 83.290817][ T9198] ======================================================== [ 83.297986][ T9198] WARNING: possible irq lock inversion dependency detected [ 83.305191][ T9198] 5.2.0-rc4+ #33 Not tainted [ 83.309771][ T9198] -------------------------------------------------------- [ 83.317122][ T9198] syz-executor676/9198 just changed the state of lock: [ 83.323955][ T9198] 00000000a2132ed8 (&ctx->fault_pending_wqh){+.+.}, at: userfaultfd_release+0x4ca/0x710 [ 83.333831][ T9198] but this lock was taken by another, SOFTIRQ-safe lock in the past: [ 83.341909][ T9198] (&(&ctx->ctx_lock)->rlock){..-.} [ 83.341918][ T9198] [ 83.341918][ T9198] [ 83.341918][ T9198] and interrupts could create inverse lock ordering between them. [ 83.341918][ T9198] [ 83.361509][ T9198] [ 83.361509][ T9198] other info that might help us debug this: [ 83.369784][ T9198] Chain exists of: [ 83.369784][ T9198] &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh [ 83.369784][ T9198] [ 83.384163][ T9198] Possible interrupt unsafe locking scenario: [ 83.384163][ T9198] [ 83.392476][ T9198] CPU0 CPU1 [ 83.397825][ T9198] ---- ---- [ 83.403285][ T9198] lock(&ctx->fault_pending_wqh); [ 83.408567][ T9198] local_irq_disable(); [ 83.415307][ T9198] lock(&(&ctx->ctx_lock)->rlock); [ 83.423005][ T9198] lock(&ctx->fd_wqh); [ 83.429659][ T9198] [ 83.433085][ T9198] lock(&(&ctx->ctx_lock)->rlock); [ 83.438445][ T9198] [ 83.438445][ T9198] *** DEADLOCK *** [ 83.438445][ T9198] [ 83.446599][ T9198] no locks held by syz-executor676/9198. [ 83.452256][ T9198] [ 83.452256][ T9198] the shortest dependencies between 2nd lock and 1st lock: [ 83.461715][ T9198] -> (&(&ctx->ctx_lock)->rlock){..-.} { [ 83.467432][ T9198] IN-SOFTIRQ-W at: [ 83.471646][ T9198] lock_acquire+0x16f/0x3f0 [ 83.478155][ T9198] _raw_spin_lock_irq+0x60/0x80 [ 83.484995][ T9198] free_ioctx_users+0x2d/0x490 [ 83.491763][ T9198] percpu_ref_switch_to_atomic_rcu+0x407/0x540 [ 83.500013][ T9198] rcu_core+0xba5/0x1500 [ 83.507045][ T9198] __do_softirq+0x25c/0x94c [ 83.513544][ T9198] irq_exit+0x180/0x1d0 [ 83.519822][ T9198] smp_apic_timer_interrupt+0x13b/0x550 [ 83.527997][ T9198] apic_timer_interrupt+0xf/0x20 [ 83.552191][ T9198] native_safe_halt+0xe/0x10 [ 83.568520][ T9198] arch_cpu_idle+0xa/0x10 [ 83.580301][ T9198] default_idle_call+0x36/0x90 [ 83.589831][ T9198] do_idle+0x377/0x560 [ 83.598332][ T9198] cpu_startup_entry+0x1b/0x20 [ 83.609232][ T9198] rest_init+0x245/0x37b [ 83.617738][ T9198] arch_call_rest_init+0xe/0x1b [ 83.634742][ T9198] start_kernel+0x854/0x893 [ 83.642968][ T9198] x86_64_start_reservations+0x29/0x2b [ 83.650903][ T9198] x86_64_start_kernel+0x77/0x7b [ 83.658844][ T9198] secondary_startup_64+0xa4/0xb0 [ 83.668669][ T9198] INITIAL USE at: [ 83.677995][ T9198] lock_acquire+0x16f/0x3f0 [ 83.685431][ T9198] _raw_spin_lock_irq+0x60/0x80 [ 83.693245][ T9198] io_submit_one+0xeb5/0x2ef0 [ 83.700683][ T9198] __x64_sys_io_submit+0x1bd/0x570 [ 83.708972][ T9198] do_syscall_64+0xfd/0x680 [ 83.715388][ T9198] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 83.724876][ T9198] } [ 83.728121][ T9198] ... key at: [] __key.53427+0x0/0x40 [ 83.736708][ T9198] ... acquired at: [ 83.741628][ T9198] _raw_spin_lock+0x2f/0x40 [ 83.748628][ T9198] io_submit_one+0xefa/0x2ef0 [ 83.754448][ T9198] __x64_sys_io_submit+0x1bd/0x570 [ 83.760263][ T9198] do_syscall_64+0xfd/0x680 [ 83.779540][ T9198] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 83.807211][ T9198] [ 83.809753][ T9198] -> (&ctx->fd_wqh){....} { [ 83.815605][ T9198] INITIAL USE at: [ 83.819705][ T9198] lock_acquire+0x16f/0x3f0 [ 83.826041][ T9198] _raw_spin_lock_irq+0x60/0x80 [ 83.833540][ T9198] userfaultfd_read+0x27a/0x1940 [ 83.843631][ T9198] do_iter_read+0x4a4/0x660 [ 83.850643][ T9198] vfs_readv+0xf0/0x160 [ 83.856818][ T9198] do_readv+0x15b/0x330 [ 83.864039][ T9198] __x64_sys_readv+0x75/0xb0 [ 83.870805][ T9198] do_syscall_64+0xfd/0x680 [ 83.878448][ T9198] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 83.886388][ T9198] } [ 83.888978][ T9198] ... key at: [] __key.46103+0x0/0x40 [ 83.896500][ T9198] ... acquired at: [ 83.900395][ T9198] _raw_spin_lock+0x2f/0x40 [ 83.905058][ T9198] userfaultfd_read+0x540/0x1940 [ 83.910154][ T9198] do_iter_read+0x4a4/0x660 [ 83.914816][ T9198] vfs_readv+0xf0/0x160 [ 83.919176][ T9198] do_readv+0x15b/0x330 [ 83.923500][ T9198] __x64_sys_readv+0x75/0xb0 [ 83.928252][ T9198] do_syscall_64+0xfd/0x680 [ 83.933048][ T9198] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 83.939155][ T9198] [ 83.941545][ T9198] -> (&ctx->fault_pending_wqh){+.+.} { [ 83.947058][ T9198] HARDIRQ-ON-W at: [ 83.951106][ T9198] lock_acquire+0x16f/0x3f0 [ 83.957249][ T9198] _raw_spin_lock+0x2f/0x40 [ 83.963612][ T9198] userfaultfd_release+0x4ca/0x710 [ 83.970414][ T9198] __fput+0x2ff/0x890 [ 83.976035][ T9198] ____fput+0x16/0x20 [ 83.981870][ T9198] task_work_run+0x145/0x1c0 [ 83.988285][ T9198] do_exit+0x90a/0x2fa0 [ 83.994089][ T9198] do_group_exit+0x135/0x370 [ 84.000316][ T9198] get_signal+0x471/0x24b0 [ 84.006497][ T9198] do_signal+0x87/0x1900 [ 84.012531][ T9198] exit_to_usermode_loop+0x244/0x2c0 [ 84.019495][ T9198] do_syscall_64+0x58e/0x680 [ 84.025817][ T9198] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 84.033445][ T9198] SOFTIRQ-ON-W at: [ 84.037421][ T9198] lock_acquire+0x16f/0x3f0 [ 84.043867][ T9198] _raw_spin_lock+0x2f/0x40 [ 84.050001][ T9198] userfaultfd_release+0x4ca/0x710 [ 84.056754][ T9198] __fput+0x2ff/0x890 [ 84.062513][ T9198] ____fput+0x16/0x20 [ 84.068182][ T9198] task_work_run+0x145/0x1c0 [ 84.074451][ T9198] do_exit+0x90a/0x2fa0 [ 84.080238][ T9198] do_group_exit+0x135/0x370 [ 84.086464][ T9198] get_signal+0x471/0x24b0 [ 84.092642][ T9198] do_signal+0x87/0x1900 [ 84.098523][ T9198] exit_to_usermode_loop+0x244/0x2c0 [ 84.105447][ T9198] do_syscall_64+0x58e/0x680 [ 84.111751][ T9198] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 84.119279][ T9198] INITIAL USE at: [ 84.123174][ T9198] lock_acquire+0x16f/0x3f0 [ 84.129590][ T9198] _raw_spin_lock+0x2f/0x40 [ 84.135789][ T9198] userfaultfd_read+0x540/0x1940 [ 84.142405][ T9198] do_iter_read+0x4a4/0x660 [ 84.148460][ T9198] vfs_readv+0xf0/0x160 [ 84.154184][ T9198] do_readv+0x15b/0x330 [ 84.160000][ T9198] __x64_sys_readv+0x75/0xb0 [ 84.166252][ T9198] do_syscall_64+0xfd/0x680 [ 84.172351][ T9198] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 84.179815][ T9198] } [ 84.182330][ T9198] ... key at: [] __key.46100+0x0/0x40 [ 84.189807][ T9198] ... acquired at: [ 84.193634][ T9198] mark_lock+0x420/0x1370 [ 84.198122][ T9198] __lock_acquire+0x12df/0x5490 [ 84.203130][ T9198] lock_acquire+0x16f/0x3f0 [ 84.207803][ T9198] _raw_spin_lock+0x2f/0x40 [ 84.212753][ T9198] userfaultfd_release+0x4ca/0x710 [ 84.218132][ T9198] __fput+0x2ff/0x890 [ 84.222269][ T9198] ____fput+0x16/0x20 [ 84.226416][ T9198] task_work_run+0x145/0x1c0 [ 84.231250][ T9198] do_exit+0x90a/0x2fa0 [ 84.235562][ T9198] do_group_exit+0x135/0x370 [ 84.240361][ T9198] get_signal+0x471/0x24b0 [ 84.244944][ T9198] do_signal+0x87/0x1900 [ 84.249357][ T9198] exit_to_usermode_loop+0x244/0x2c0 [ 84.254876][ T9198] do_syscall_64+0x58e/0x680 [ 84.259747][ T9198] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 84.265788][ T9198] [ 84.268101][ T9198] [ 84.268101][ T9198] stack backtrace: [ 84.273980][ T9198] CPU: 0 PID: 9198 Comm: syz-executor676 Not tainted 5.2.0-rc4+ #33 [ 84.281976][ T9198] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 84.292036][ T9198] Call Trace: [ 84.295571][ T9198] dump_stack+0x172/0x1f0 [ 84.299905][ T9198] print_irq_inversion_bug.part.0+0x2c5/0x2d2 [ 84.306091][ T9198] check_usage_backwards.cold+0x1d/0x26 [ 84.311698][ T9198] ? print_shortest_lock_dependencies+0x90/0x90 [ 84.317974][ T9198] ? stack_trace_save+0xac/0xe0 [ 84.322816][ T9198] ? stack_trace_consume_entry+0x190/0x190 [ 84.328654][ T9198] ? kasan_check_write+0x14/0x20 [ 84.333583][ T9198] ? graph_lock+0x7b/0x200 [ 84.337990][ T9198] ? __lockdep_reset_lock+0x450/0x450 [ 84.343354][ T9198] mark_lock+0x420/0x1370 [ 84.347674][ T9198] ? print_shortest_lock_dependencies+0x90/0x90 [ 84.353904][ T9198] __lock_acquire+0x12df/0x5490 [ 84.358741][ T9198] ? kasan_check_write+0x14/0x20 [ 84.363674][ T9198] ? mark_held_locks+0xf0/0xf0 [ 84.368609][ T9198] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 84.374479][ T9198] ? stack_depot_save+0x25a/0x450 [ 84.379654][ T9198] lock_acquire+0x16f/0x3f0 [ 84.384277][ T9198] ? userfaultfd_release+0x4ca/0x710 [ 84.389559][ T9198] _raw_spin_lock+0x2f/0x40 [ 84.394049][ T9198] ? userfaultfd_release+0x4ca/0x710 [ 84.399321][ T9198] userfaultfd_release+0x4ca/0x710 [ 84.404421][ T9198] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 84.410222][ T9198] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 84.416537][ T9198] ? ima_file_free+0xc9/0x4a0 [ 84.421360][ T9198] __fput+0x2ff/0x890 [ 84.425382][ T9198] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 84.431180][ T9198] ____fput+0x16/0x20 [ 84.435159][ T9198] task_work_run+0x145/0x1c0 [ 84.439925][ T9198] do_exit+0x90a/0x2fa0 [ 84.444062][ T9198] ? get_signal+0x387/0x24b0 [ 84.448642][ T9198] ? mm_update_next_owner+0x640/0x640 [ 84.454002][ T9198] ? kasan_check_write+0x14/0x20 [ 84.458933][ T9198] ? _raw_spin_unlock_irq+0x28/0x90 [ 84.464206][ T9198] ? get_signal+0x387/0x24b0 [ 84.468869][ T9198] ? _raw_spin_unlock_irq+0x28/0x90 [ 84.474224][ T9198] do_group_exit+0x135/0x370 [ 84.478807][ T9198] get_signal+0x471/0x24b0 [ 84.483214][ T9198] ? exit_robust_list+0x2c0/0x2c0 [ 84.488370][ T9198] do_signal+0x87/0x1900 [ 84.492599][ T9198] ? lock_downgrade+0x880/0x880 [ 84.497436][ T9198] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 84.503887][ T9198] ? kasan_check_read+0x11/0x20 [ 84.508727][ T9198] ? setup_sigcontext+0x7d0/0x7d0 [ 84.513739][ T9198] ? exit_to_usermode_loop+0x43/0x2c0 [ 84.519103][ T9198] ? do_syscall_64+0x58e/0x680 [ 84.523959][ T9198] ? exit_to_usermode_loop+0x43/0x2c0 [ 84.529320][ T9198] ? lockdep_hardirqs_on+0x418/0x5d0 [ 84.534591][ T9198] ? trace_hardirqs_on+0x67/0x220 [ 84.539606][ T9198] exit_to_usermode_loop+0x244/0x2c0 [ 84.544967][ T9198] do_syscall_64+0x58e/0x680 [ 84.549645][ T9198] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 84.555701][ T9198] RIP: 0033:0x445919 [ 84.559588][ T9198] Code: Bad RIP value. [ 84.563676][ T9198] RSP: 002b:00007f2b85225db8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 84.572178][ T9198] RAX: fffffffffffffe00 RBX: 00000000006dac58 RCX: 0000000000445919 [ 84.580140][ T9198] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dac58 [ 84.588316][ T9198] RBP: 00000000006dac50 R08: 0000000000000000 R09: 000