[ 34.986173] audit: type=1800 audit(1549706865.484:28): pid=7400 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 35.965953] audit: type=1800 audit(1549706866.464:29): pid=7400 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 35.984403] audit: type=1800 audit(1549706866.474:30): pid=7400 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 [....] startpar: service(s) returned failure: ssh ...[?25l[?1c7[FAIL8[?25h[?0c failed! Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.155' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 46.337742] [ 46.339386] ======================================================== [ 46.345853] WARNING: possible irq lock inversion dependency detected [ 46.352335] 5.0.0-rc5+ #64 Not tainted [ 46.356202] -------------------------------------------------------- [ 46.362668] syz-executor838/7576 just changed the state of lock: [ 46.368907] 00000000cff0d2ee (&ctx->fault_pending_wqh){+.+.}, at: userfaultfd_release+0x497/0x6d0 [ 46.377916] but this lock was taken by another, SOFTIRQ-safe lock in the past: [ 46.385254] (&(&ctx->ctx_lock)->rlock){..-.} [ 46.385260] [ 46.385260] [ 46.385260] and interrupts could create inverse lock ordering between them. [ 46.385260] [ 46.401226] [ 46.401226] other info that might help us debug this: [ 46.407862] Chain exists of: [ 46.407862] &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh [ 46.407862] [ 46.420075] Possible interrupt unsafe locking scenario: [ 46.420075] [ 46.426976] CPU0 CPU1 [ 46.431624] ---- ---- [ 46.436263] lock(&ctx->fault_pending_wqh); [ 46.440646] local_irq_disable(); [ 46.446676] lock(&(&ctx->ctx_lock)->rlock); [ 46.453670] lock(&ctx->fd_wqh); [ 46.459625] [ 46.462354] lock(&(&ctx->ctx_lock)->rlock); [ 46.466995] [ 46.466995] *** DEADLOCK *** [ 46.466995] [ 46.473026] no locks held by syz-executor838/7576. [ 46.477930] [ 46.477930] the shortest dependencies between 2nd lock and 1st lock: [ 46.485879] -> (&(&ctx->ctx_lock)->rlock){..-.} { [ 46.490873] IN-SOFTIRQ-W at: [ 46.494311] lock_acquire+0x16f/0x3f0 [ 46.500084] _raw_spin_lock_irq+0x60/0x80 [ 46.506209] free_ioctx_users+0x2d/0x4a0 [ 46.512252] percpu_ref_switch_to_atomic_rcu+0x3e7/0x520 [ 46.519686] rcu_process_callbacks+0x928/0x1390 [ 46.526329] __do_softirq+0x266/0x95a [ 46.532101] irq_exit+0x180/0x1d0 [ 46.537526] smp_apic_timer_interrupt+0x14a/0x570 [ 46.544343] apic_timer_interrupt+0xf/0x20 [ 46.550552] native_safe_halt+0x2/0x10 [ 46.556412] arch_cpu_idle+0x10/0x20 [ 46.562100] default_idle_call+0x36/0x90 [ 46.568133] do_idle+0x386/0x570 [ 46.573530] cpu_startup_entry+0x1b/0x20 [ 46.579575] rest_init+0x245/0x37b [ 46.585098] arch_call_rest_init+0xe/0x1b [ 46.591223] start_kernel+0x808/0x841 [ 46.597005] x86_64_start_reservations+0x29/0x2b [ 46.603737] x86_64_start_kernel+0x77/0x7b [ 46.609947] secondary_startup_64+0xa4/0xb0 [ 46.616241] INITIAL USE at: [ 46.619590] lock_acquire+0x16f/0x3f0 [ 46.625423] _raw_spin_lock_irq+0x60/0x80 [ 46.631468] io_submit_one+0xeb6/0x1cf0 [ 46.637335] __x64_sys_io_submit+0x1bd/0x580 [ 46.643635] do_syscall_64+0x103/0x610 [ 46.649412] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 46.656483] } [ 46.658442] ... key at: [] __key.51970+0x0/0x40 [ 46.665340] ... acquired at: [ 46.668602] _raw_spin_lock+0x2f/0x40 [ 46.672555] io_submit_one+0xedf/0x1cf0 [ 46.676682] __x64_sys_io_submit+0x1bd/0x580 [ 46.681256] do_syscall_64+0x103/0x610 [ 46.685295] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 46.690632] [ 46.692233] -> (&ctx->fd_wqh){....} { [ 46.696100] INITIAL USE at: [ 46.699373] lock_acquire+0x16f/0x3f0 [ 46.704887] _raw_spin_lock_irq+0x60/0x80 [ 46.710934] userfaultfd_read+0x27a/0x1940 [ 46.716891] __vfs_read+0x116/0x8c0 [ 46.722237] vfs_read+0x194/0x3e0 [ 46.727410] ksys_read+0xea/0x1f0 [ 46.732580] __x64_sys_read+0x73/0xb0 [ 46.738108] do_syscall_64+0x103/0x610 [ 46.743711] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 46.750608] } [ 46.752483] ... key at: [] __key.44852+0x0/0x40 [ 46.759293] ... acquired at: [ 46.762469] _raw_spin_lock+0x2f/0x40 [ 46.766509] userfaultfd_read+0x540/0x1940 [ 46.770904] __vfs_read+0x116/0x8c0 [ 46.774689] vfs_read+0x194/0x3e0 [ 46.778295] ksys_read+0xea/0x1f0 [ 46.781904] __x64_sys_read+0x73/0xb0 [ 46.785856] do_syscall_64+0x103/0x610 [ 46.789896] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 46.795246] [ 46.796865] -> (&ctx->fault_pending_wqh){+.+.} { [ 46.801597] HARDIRQ-ON-W at: [ 46.804854] lock_acquire+0x16f/0x3f0 [ 46.810278] _raw_spin_lock+0x2f/0x40 [ 46.815703] userfaultfd_release+0x497/0x6d0 [ 46.821907] __fput+0x2df/0x8d0 [ 46.826818] ____fput+0x16/0x20 [ 46.831725] task_work_run+0x14a/0x1c0 [ 46.837285] do_exit+0x92c/0x2fd0 [ 46.842371] do_group_exit+0x135/0x370 [ 46.847886] get_signal+0x35c/0x1d60 [ 46.853327] do_signal+0x87/0x1940 [ 46.858507] exit_to_usermode_loop+0x244/0x2c0 [ 46.864721] do_syscall_64+0x52d/0x610 [ 46.870240] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 46.877059] SOFTIRQ-ON-W at: [ 46.880324] lock_acquire+0x16f/0x3f0 [ 46.885752] _raw_spin_lock+0x2f/0x40 [ 46.891180] userfaultfd_release+0x497/0x6d0 [ 46.897219] __fput+0x2df/0x8d0 [ 46.902130] ____fput+0x16/0x20 [ 46.907040] task_work_run+0x14a/0x1c0 [ 46.912583] do_exit+0x92c/0x2fd0 [ 46.917671] do_group_exit+0x135/0x370 [ 46.923186] get_signal+0x35c/0x1d60 [ 46.928528] do_signal+0x87/0x1940 [ 46.933697] exit_to_usermode_loop+0x244/0x2c0 [ 46.939908] do_syscall_64+0x52d/0x610 [ 46.945424] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 46.952234] INITIAL USE at: [ 46.955409] lock_acquire+0x16f/0x3f0 [ 46.960749] _raw_spin_lock+0x2f/0x40 [ 46.966093] userfaultfd_read+0x540/0x1940 [ 46.971870] __vfs_read+0x116/0x8c0 [ 46.977038] vfs_read+0x194/0x3e0 [ 46.982031] ksys_read+0xea/0x1f0 [ 46.987032] __x64_sys_read+0x73/0xb0 [ 46.992384] do_syscall_64+0x103/0x610 [ 46.997813] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 47.004537] } [ 47.006327] ... key at: [] __key.44849+0x0/0x40 [ 47.013050] ... acquired at: [ 47.016136] mark_lock+0x427/0x1380 [ 47.019914] __lock_acquire+0xca5/0x4700 [ 47.024126] lock_acquire+0x16f/0x3f0 [ 47.028094] _raw_spin_lock+0x2f/0x40 [ 47.032048] userfaultfd_release+0x497/0x6d0 [ 47.036609] __fput+0x2df/0x8d0 [ 47.040038] ____fput+0x16/0x20 [ 47.043479] task_work_run+0x14a/0x1c0 [ 47.047525] do_exit+0x92c/0x2fd0 [ 47.051133] do_group_exit+0x135/0x370 [ 47.055179] get_signal+0x35c/0x1d60 [ 47.059046] do_signal+0x87/0x1940 [ 47.062740] exit_to_usermode_loop+0x244/0x2c0 [ 47.067475] do_syscall_64+0x52d/0x610 [ 47.071516] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 47.076871] [ 47.078473] [ 47.078473] stack backtrace: [ 47.082953] CPU: 0 PID: 7576 Comm: syz-executor838 Not tainted 5.0.0-rc5+ #64 [ 47.090201] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 47.099622] Call Trace: [ 47.102203] dump_stack+0x172/0x1f0 [ 47.105821] print_irq_inversion_bug.part.0+0x2c0/0x2cd [ 47.111167] check_usage_backwards.cold+0x1d/0x26 [ 47.115987] ? print_shortest_lock_dependencies+0x90/0x90 [ 47.121505] ? save_stack_trace+0x1a/0x20 [ 47.125630] ? save_trace+0xe0/0x290 [ 47.129325] mark_lock+0x427/0x1380 [ 47.132942] ? print_shortest_lock_dependencies+0x90/0x90 [ 47.138459] __lock_acquire+0xca5/0x4700 [ 47.142501] ? depot_save_stack+0x1de/0x460 [ 47.146806] ? kasan_check_read+0x11/0x20 [ 47.150932] ? mark_held_locks+0x100/0x100 [ 47.155142] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 47.160349] ? depot_save_stack+0x1de/0x460 [ 47.164672] ? __lock_acquire+0x53b/0x4700 [ 47.168887] ? __lock_acquire+0x53b/0x4700 [ 47.173126] ? free_fs_struct+0x4f/0x70 [ 47.177080] ? do_exit+0x902/0x2fd0 [ 47.180685] lock_acquire+0x16f/0x3f0 [ 47.184462] ? userfaultfd_release+0x497/0x6d0 [ 47.189022] _raw_spin_lock+0x2f/0x40 [ 47.192798] ? userfaultfd_release+0x497/0x6d0 [ 47.197448] userfaultfd_release+0x497/0x6d0 [ 47.201838] ? userfaultfd_event_wait_completion+0xa50/0xa50 [ 47.207615] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 47.213146] ? ima_file_free+0xc9/0x4a0 [ 47.217099] ? __might_sleep+0x95/0x190 [ 47.221050] ? userfaultfd_event_wait_completion+0xa50/0xa50 [ 47.226827] __fput+0x2df/0x8d0 [ 47.230096] ____fput+0x16/0x20 [ 47.233356] task_work_run+0x14a/0x1c0 [ 47.237312] do_exit+0x92c/0x2fd0 [ 47.240740] ? get_signal+0x2f2/0x1d60 [ 47.244602] ? mm_update_next_owner+0x660/0x660 [ 47.249249] ? kasan_check_read+0x11/0x20 [ 47.253373] ? _raw_spin_unlock_irq+0x28/0x90 [ 47.257843] ? get_signal+0x2f2/0x1d60 [ 47.261706] ? _raw_spin_unlock_irq+0x28/0x90 [ 47.266176] do_group_exit+0x135/0x370 [ 47.270038] get_signal+0x35c/0x1d60 [ 47.273729] ? __x64_sys_io_submit+0x31f/0x580 [ 47.278290] do_signal+0x87/0x1940 [ 47.281810] ? lock_downgrade+0x810/0x810 [ 47.286111] ? kasan_check_read+0x11/0x20 [ 47.290247] ? setup_sigcontext+0x7d0/0x7d0 [ 47.294564] ? exit_to_usermode_loop+0x43/0x2c0 [ 47.299215] ? do_syscall_64+0x52d/0x610 [ 47.303257] ? exit_to_usermode_loop+0x43/0x2c0 [ 47.307909] ? lockdep_hardirqs_on+0x415/0x5d0 [ 47.312471] ? trace_hardirqs_on+0x67/0x230 [ 47.316791] exit_to_usermode_loop+0x244/0x2c0 [ 47.321355] do_syscall_64+0x52d/0x610 [ 47.325223] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 47.330395] RIP: 0033:0x4457a9 [ 47.333632] Code: Bad RIP value. [ 47.336977] RSP: 002b:00007f13d9f45db8 EFLAGS: 00000246 ORIG