[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 44.684322][ T27] audit: type=1800 audit(1554726138.570:25): pid=7712 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 44.720729][ T27] audit: type=1800 audit(1554726138.570:26): pid=7712 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 44.741821][ T27] audit: type=1800 audit(1554726138.580:27): pid=7712 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.202' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 55.280211][ T7866] [ 55.282567][ T7866] ======================================================== [ 55.289734][ T7866] WARNING: possible irq lock inversion dependency detected [ 55.296920][ T7866] 5.1.0-rc3-next-20190408 #20 Not tainted [ 55.302618][ T7866] -------------------------------------------------------- [ 55.309826][ T7866] syz-executor694/7866 just changed the state of lock: [ 55.316649][ T7866] 00000000b894bd2f (&ctx->fault_pending_wqh){+.+.}, at: userfaultfd_release+0x4ca/0x710 [ 55.326391][ T7866] but this lock was taken by another, SOFTIRQ-safe lock in the past: [ 55.334455][ T7866] (&(&ctx->ctx_lock)->rlock){..-.} [ 55.334463][ T7866] [ 55.334463][ T7866] [ 55.334463][ T7866] and interrupts could create inverse lock ordering between them. [ 55.334463][ T7866] [ 55.353931][ T7866] [ 55.353931][ T7866] other info that might help us debug this: [ 55.361970][ T7866] Chain exists of: [ 55.361970][ T7866] &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh [ 55.361970][ T7866] [ 55.376196][ T7866] Possible interrupt unsafe locking scenario: [ 55.376196][ T7866] [ 55.384498][ T7866] CPU0 CPU1 [ 55.389848][ T7866] ---- ---- [ 55.395187][ T7866] lock(&ctx->fault_pending_wqh); [ 55.400271][ T7866] local_irq_disable(); [ 55.407000][ T7866] lock(&(&ctx->ctx_lock)->rlock); [ 55.414692][ T7866] lock(&ctx->fd_wqh); [ 55.421338][ T7866] [ 55.424778][ T7866] lock(&(&ctx->ctx_lock)->rlock); [ 55.430119][ T7866] [ 55.430119][ T7866] *** DEADLOCK *** [ 55.430119][ T7866] [ 55.438247][ T7866] no locks held by syz-executor694/7866. [ 55.443854][ T7866] [ 55.443854][ T7866] the shortest dependencies between 2nd lock and 1st lock: [ 55.453213][ T7866] -> (&(&ctx->ctx_lock)->rlock){..-.} { [ 55.458924][ T7866] IN-SOFTIRQ-W at: [ 55.463086][ T7866] lock_acquire+0x16f/0x3f0 [ 55.469686][ T7866] _raw_spin_lock_irq+0x60/0x80 [ 55.476570][ T7866] free_ioctx_users+0x2d/0x4a0 [ 55.483441][ T7866] percpu_ref_switch_to_atomic_rcu+0x3e7/0x520 [ 55.491585][ T7866] rcu_core+0x985/0x1410 [ 55.497825][ T7866] __do_softirq+0x266/0x95a [ 55.504486][ T7866] irq_exit+0x180/0x1d0 [ 55.510623][ T7866] smp_apic_timer_interrupt+0x14a/0x570 [ 55.518157][ T7866] apic_timer_interrupt+0xf/0x20 [ 55.525176][ T7866] native_safe_halt+0x2/0x10 [ 55.531763][ T7866] arch_cpu_idle+0x10/0x20 [ 55.538172][ T7866] default_idle_call+0x36/0x90 [ 55.544950][ T7866] do_idle+0x386/0x570 [ 55.551014][ T7866] cpu_startup_entry+0x1b/0x20 [ 55.557767][ T7866] rest_init+0x245/0x37b [ 55.564035][ T7866] arch_call_rest_init+0xe/0x1b [ 55.570877][ T7866] start_kernel+0x816/0x84f [ 55.577374][ T7866] x86_64_start_reservations+0x29/0x2b [ 55.584817][ T7866] x86_64_start_kernel+0x77/0x7b [ 55.591745][ T7866] secondary_startup_64+0xa4/0xb0 [ 55.598740][ T7866] INITIAL USE at: [ 55.602801][ T7866] lock_acquire+0x16f/0x3f0 [ 55.609200][ T7866] _raw_spin_lock_irq+0x60/0x80 [ 55.615947][ T7866] io_submit_one+0xae2/0x2f40 [ 55.622552][ T7866] __x64_sys_io_submit+0x1bd/0x580 [ 55.629569][ T7866] do_syscall_64+0x103/0x610 [ 55.636059][ T7866] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.643840][ T7866] } [ 55.646533][ T7866] ... key at: [] __key.52858+0x0/0x40 [ 55.654139][ T7866] ... acquired at: [ 55.658105][ T7866] lock_acquire+0x16f/0x3f0 [ 55.662778][ T7866] _raw_spin_lock+0x2f/0x40 [ 55.667436][ T7866] io_submit_one+0xb27/0x2f40 [ 55.672269][ T7866] __x64_sys_io_submit+0x1bd/0x580 [ 55.677541][ T7866] do_syscall_64+0x103/0x610 [ 55.682285][ T7866] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.688319][ T7866] [ 55.690622][ T7866] -> (&ctx->fd_wqh){....} { [ 55.695187][ T7866] INITIAL USE at: [ 55.699157][ T7866] lock_acquire+0x16f/0x3f0 [ 55.706119][ T7866] _raw_spin_lock_irq+0x60/0x80 [ 55.712709][ T7866] userfaultfd_read+0x27a/0x1940 [ 55.719383][ T7866] __vfs_read+0x8d/0x110 [ 55.725435][ T7866] vfs_read+0x194/0x3e0 [ 55.739018][ T7866] ksys_read+0x14f/0x2d0 [ 55.745008][ T7866] __x64_sys_read+0x73/0xb0 [ 55.751242][ T7866] do_syscall_64+0x103/0x610 [ 55.757924][ T7866] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.765533][ T7866] } [ 55.768107][ T7866] ... key at: [] __key.45741+0x0/0x40 [ 55.775622][ T7866] ... acquired at: [ 55.779501][ T7866] lock_acquire+0x16f/0x3f0 [ 55.784158][ T7866] _raw_spin_lock+0x2f/0x40 [ 55.788833][ T7866] userfaultfd_read+0x540/0x1940 [ 55.793934][ T7866] __vfs_read+0x8d/0x110 [ 55.798337][ T7866] vfs_read+0x194/0x3e0 [ 55.802669][ T7866] ksys_read+0x14f/0x2d0 [ 55.807079][ T7866] __x64_sys_read+0x73/0xb0 [ 55.811752][ T7866] do_syscall_64+0x103/0x610 [ 55.816513][ T7866] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.822554][ T7866] [ 55.824860][ T7866] -> (&ctx->fault_pending_wqh){+.+.} { [ 55.830293][ T7866] HARDIRQ-ON-W at: [ 55.834253][ T7866] lock_acquire+0x16f/0x3f0 [ 55.840390][ T7866] _raw_spin_lock+0x2f/0x40 [ 55.846541][ T7866] userfaultfd_release+0x4ca/0x710 [ 55.853306][ T7866] __fput+0x2e5/0x8d0 [ 55.858941][ T7866] ____fput+0x16/0x20 [ 55.864567][ T7866] task_work_run+0x14a/0x1c0 [ 55.870797][ T7866] do_exit+0x90a/0x2fa0 [ 55.876609][ T7866] do_group_exit+0x135/0x370 [ 55.882888][ T7866] get_signal+0x399/0x1d50 [ 55.888954][ T7866] do_signal+0x87/0x1940 [ 55.894835][ T7866] exit_to_usermode_loop+0x244/0x2c0 [ 55.901761][ T7866] do_syscall_64+0x52d/0x610 [ 55.907989][ T7866] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.915500][ T7866] SOFTIRQ-ON-W at: [ 55.919479][ T7866] lock_acquire+0x16f/0x3f0 [ 55.925626][ T7866] _raw_spin_lock+0x2f/0x40 [ 55.931785][ T7866] userfaultfd_release+0x4ca/0x710 [ 55.938550][ T7866] __fput+0x2e5/0x8d0 [ 55.944155][ T7866] ____fput+0x16/0x20 [ 55.949776][ T7866] task_work_run+0x14a/0x1c0 [ 55.955986][ T7866] do_exit+0x90a/0x2fa0 [ 55.961797][ T7866] do_group_exit+0x135/0x370 [ 55.968014][ T7866] get_signal+0x399/0x1d50 [ 55.974159][ T7866] do_signal+0x87/0x1940 [ 55.980031][ T7866] exit_to_usermode_loop+0x244/0x2c0 [ 55.986941][ T7866] do_syscall_64+0x52d/0x610 [ 55.993157][ T7866] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.000670][ T7866] INITIAL USE at: [ 56.004548][ T7866] lock_acquire+0x16f/0x3f0 [ 56.010588][ T7866] _raw_spin_lock+0x2f/0x40 [ 56.016645][ T7866] userfaultfd_read+0x540/0x1940 [ 56.023127][ T7866] __vfs_read+0x8d/0x110 [ 56.028924][ T7866] vfs_read+0x194/0x3e0 [ 56.034619][ T7866] ksys_read+0x14f/0x2d0 [ 56.040400][ T7866] __x64_sys_read+0x73/0xb0 [ 56.046447][ T7866] do_syscall_64+0x103/0x610 [ 56.052585][ T7866] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.060013][ T7866] } [ 56.062500][ T7866] ... key at: [] __key.45738+0x0/0x40 [ 56.069988][ T7866] ... acquired at: [ 56.073776][ T7866] mark_lock+0x427/0x1380 [ 56.078265][ T7866] __lock_acquire+0x1317/0x3fb0 [ 56.083262][ T7866] lock_acquire+0x16f/0x3f0 [ 56.087917][ T7866] _raw_spin_lock+0x2f/0x40 [ 56.092567][ T7866] userfaultfd_release+0x4ca/0x710 [ 56.097826][ T7866] __fput+0x2e5/0x8d0 [ 56.101954][ T7866] ____fput+0x16/0x20 [ 56.106085][ T7866] task_work_run+0x14a/0x1c0 [ 56.110824][ T7866] do_exit+0x90a/0x2fa0 [ 56.115139][ T7866] do_group_exit+0x135/0x370 [ 56.119874][ T7866] get_signal+0x399/0x1d50 [ 56.124448][ T7866] do_signal+0x87/0x1940 [ 56.128842][ T7866] exit_to_usermode_loop+0x244/0x2c0 [ 56.134270][ T7866] do_syscall_64+0x52d/0x610 [ 56.139037][ T7866] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.145069][ T7866] [ 56.147365][ T7866] [ 56.147365][ T7866] stack backtrace: [ 56.153232][ T7866] CPU: 0 PID: 7866 Comm: syz-executor694 Not tainted 5.1.0-rc3-next-20190408 #20 [ 56.162320][ T7866] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.172634][ T7866] Call Trace: [ 56.175936][ T7866] dump_stack+0x172/0x1f0 [ 56.180244][ T7866] print_irq_inversion_bug.part.0+0x2c0/0x2cd [ 56.186283][ T7866] check_usage_backwards.cold+0x1d/0x26 [ 56.191804][ T7866] ? print_shortest_lock_dependencies+0x90/0x90 [ 56.198022][ T7866] ? save_stack_trace+0x1a/0x20 [ 56.202849][ T7866] mark_lock+0x427/0x1380 [ 56.207170][ T7866] ? print_shortest_lock_dependencies+0x90/0x90 [ 56.213389][ T7866] __lock_acquire+0x1317/0x3fb0 [ 56.218248][ T7866] ? trace_hardirqs_off+0x62/0x220 [ 56.223337][ T7866] ? kasan_check_read+0x11/0x20 [ 56.228166][ T7866] ? mark_held_locks+0xf0/0xf0 [ 56.232956][ T7866] ? save_stack+0xa9/0xd0 [ 56.237275][ T7866] ? save_stack+0x45/0xd0 [ 56.241585][ T7866] ? __kasan_slab_free+0x102/0x150 [ 56.246672][ T7866] ? kasan_slab_free+0xe/0x10 [ 56.251332][ T7866] ? kmem_cache_free+0x86/0x260 [ 56.256174][ T7866] ? free_fs_struct+0x4f/0x70 [ 56.260825][ T7866] ? exit_fs+0xf0/0x130 [ 56.264956][ T7866] lock_acquire+0x16f/0x3f0 [ 56.269527][ T7866] ? userfaultfd_release+0x4ca/0x710 [ 56.274812][ T7866] _raw_spin_lock+0x2f/0x40 [ 56.279291][ T7866] ? userfaultfd_release+0x4ca/0x710 [ 56.284553][ T7866] userfaultfd_release+0x4ca/0x710 [ 56.289640][ T7866] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 56.295441][ T7866] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 56.301676][ T7866] ? ima_file_free+0xc9/0x4a0 [ 56.306344][ T7866] ? __might_sleep+0x95/0x190 [ 56.310996][ T7866] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 56.316772][ T7866] __fput+0x2e5/0x8d0 [ 56.320734][ T7866] ____fput+0x16/0x20 [ 56.324693][ T7866] task_work_run+0x14a/0x1c0 [ 56.329324][ T7866] do_exit+0x90a/0x2fa0 [ 56.333458][ T7866] ? get_signal+0x331/0x1d50 [ 56.338022][ T7866] ? mm_update_next_owner+0x640/0x640 [ 56.343370][ T7866] ? kasan_check_write+0x14/0x20 [ 56.348283][ T7866] ? _raw_spin_unlock_irq+0x28/0x90 [ 56.353468][ T7866] ? get_signal+0x331/0x1d50 [ 56.358041][ T7866] ? _raw_spin_unlock_irq+0x28/0x90 [ 56.363217][ T7866] do_group_exit+0x135/0x370 [ 56.367788][ T7866] get_signal+0x399/0x1d50 [ 56.372193][ T7866] ? __x64_sys_io_submit+0x31f/0x580 [ 56.377454][ T7866] do_signal+0x87/0x1940 [ 56.381672][ T7866] ? lock_downgrade+0x880/0x880 [ 56.386533][ T7866] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 56.392752][ T7866] ? kasan_check_read+0x11/0x20 [ 56.397578][ T7866] ? setup_sigcontext+0x7d0/0x7d0 [ 56.402602][ T7866] ? exit_to_usermode_loop+0x43/0x2c0 [ 56.407947][ T7866] ? do_syscall_64+0x52d/0x610 [ 56.412691][ T7866] ? exit_to_usermode_loop+0x43/0x2c0 [ 56.418036][ T7866] ? lockdep_hardirqs_on+0x418/0x5d0 [ 56.423297][ T7866] ? trace_hardirqs_on+0x67/0x230 [ 56.428313][ T7866] exit_to_usermode_loop+0x244/0x2c0 [ 56.433573][ T7866] do_syscall_64+0x52d/0x610 [ 56.438152][ T7866] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.444017][ T7866] RIP: 0033:0x4458d9 [ 56.447909][ T7866] Code: Bad RIP value. [ 56.451950][ T7866] RSP: 002b:00007f8d9e68ddb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 56.460330][ T7866] RAX: fffffffffffffe00 RBX: 00000000006dac58 RCX: 00000000004458d9 [ 56.468276][ T7866] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dac58 [ 56.476223][ T7866] RBP: 00000000006dac50 R08: 0000000000000000 R09: 0000000000000000 [ 56.484166][ T7866] R10: 0000000000000000 R11: 0000000000000246 R12: 00