[ 38.407255] audit: type=1800 audit(1550278756.285:25): pid=7617 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 38.434122] audit: type=1800 audit(1550278756.285:26): pid=7617 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 38.466062] audit: type=1800 audit(1550278756.295:27): pid=7617 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [ 38.487117] audit: type=1800 audit(1550278756.295:28): pid=7617 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.173' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 47.505461] [ 47.507100] ======================================================== [ 47.513562] WARNING: possible irq lock inversion dependency detected [ 47.520039] 5.0.0-rc6+ #73 Not tainted [ 47.523911] -------------------------------------------------------- [ 47.530390] syz-executor134/7770 just changed the state of lock: [ 47.536507] 000000002815e9ab (&ctx->fault_pending_wqh){+.+.}, at: userfaultfd_release+0x497/0x6d0 [ 47.545502] but this lock was taken by another, SOFTIRQ-safe lock in the past: [ 47.552834] (&(&ctx->ctx_lock)->rlock){..-.} [ 47.552840] [ 47.552840] [ 47.552840] and interrupts could create inverse lock ordering between them. [ 47.552840] [ 47.568803] [ 47.568803] other info that might help us debug this: [ 47.575437] Chain exists of: [ 47.575437] &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh [ 47.575437] [ 47.587562] Possible interrupt unsafe locking scenario: [ 47.587562] [ 47.594468] CPU0 CPU1 [ 47.599115] ---- ---- [ 47.603752] lock(&ctx->fault_pending_wqh); [ 47.608137] local_irq_disable(); [ 47.614181] lock(&(&ctx->ctx_lock)->rlock); [ 47.621170] lock(&ctx->fd_wqh); [ 47.627116] [ 47.629934] lock(&(&ctx->ctx_lock)->rlock); [ 47.634573] [ 47.634573] *** DEADLOCK *** [ 47.634573] [ 47.640619] no locks held by syz-executor134/7770. [ 47.645523] [ 47.645523] the shortest dependencies between 2nd lock and 1st lock: [ 47.653483] -> (&(&ctx->ctx_lock)->rlock){..-.} { [ 47.658495] IN-SOFTIRQ-W at: [ 47.661933] lock_acquire+0x16f/0x3f0 [ 47.667709] _raw_spin_lock_irq+0x60/0x80 [ 47.673829] free_ioctx_users+0x2d/0x4a0 [ 47.679862] percpu_ref_switch_to_atomic_rcu+0x3e7/0x520 [ 47.687312] rcu_process_callbacks+0x928/0x1390 [ 47.693957] __do_softirq+0x266/0x95a [ 47.699739] irq_exit+0x180/0x1d0 [ 47.705169] smp_apic_timer_interrupt+0x14a/0x570 [ 47.711996] apic_timer_interrupt+0xf/0x20 [ 47.718214] native_safe_halt+0x2/0x10 [ 47.724090] arch_cpu_idle+0x10/0x20 [ 47.729779] default_idle_call+0x36/0x90 [ 47.735815] do_idle+0x386/0x570 [ 47.741152] cpu_startup_entry+0x1b/0x20 [ 47.747186] rest_init+0x245/0x37b [ 47.752701] arch_call_rest_init+0xe/0x1b [ 47.758837] start_kernel+0x803/0x83c [ 47.764641] x86_64_start_reservations+0x29/0x2b [ 47.771370] x86_64_start_kernel+0x77/0x7b [ 47.777581] secondary_startup_64+0xa4/0xb0 [ 47.783883] INITIAL USE at: [ 47.787230] lock_acquire+0x16f/0x3f0 [ 47.792919] _raw_spin_lock_irq+0x60/0x80 [ 47.798953] io_submit_one+0xeb6/0x1cf0 [ 47.804822] __x64_sys_io_submit+0x1bd/0x580 [ 47.811129] do_syscall_64+0x103/0x610 [ 47.816898] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 47.823992] } [ 47.825958] ... key at: [] __key.51970+0x0/0x40 [ 47.832865] ... acquired at: [ 47.836153] _raw_spin_lock+0x2f/0x40 [ 47.840101] io_submit_one+0xedf/0x1cf0 [ 47.844237] __x64_sys_io_submit+0x1bd/0x580 [ 47.848800] do_syscall_64+0x103/0x610 [ 47.852841] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 47.858180] [ 47.859778] -> (&ctx->fd_wqh){....} { [ 47.863654] INITIAL USE at: [ 47.866929] lock_acquire+0x16f/0x3f0 [ 47.872443] _raw_spin_lock_irq+0x60/0x80 [ 47.878299] userfaultfd_read+0x27a/0x1940 [ 47.884248] __vfs_read+0x116/0x8c0 [ 47.889587] vfs_read+0x194/0x3e0 [ 47.894750] ksys_read+0xea/0x1f0 [ 47.899918] __x64_sys_read+0x73/0xb0 [ 47.905459] do_syscall_64+0x103/0x610 [ 47.911058] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 47.917953] } [ 47.919827] ... key at: [] __key.44852+0x0/0x40 [ 47.926637] ... acquired at: [ 47.929840] _raw_spin_lock+0x2f/0x40 [ 47.933787] userfaultfd_read+0x540/0x1940 [ 47.938176] __vfs_read+0x116/0x8c0 [ 47.941951] vfs_read+0x194/0x3e0 [ 47.945561] ksys_read+0xea/0x1f0 [ 47.949165] __x64_sys_read+0x73/0xb0 [ 47.953127] do_syscall_64+0x103/0x610 [ 47.957165] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 47.962513] [ 47.964116] -> (&ctx->fault_pending_wqh){+.+.} { [ 47.968850] HARDIRQ-ON-W at: [ 47.972107] lock_acquire+0x16f/0x3f0 [ 47.977532] _raw_spin_lock+0x2f/0x40 [ 47.982984] userfaultfd_release+0x497/0x6d0 [ 47.989022] __fput+0x2df/0x8d0 [ 47.993926] ____fput+0x16/0x20 [ 47.998832] task_work_run+0x14a/0x1c0 [ 48.004370] do_exit+0x92c/0x2fd0 [ 48.009468] do_group_exit+0x135/0x370 [ 48.015018] get_signal+0x399/0x1d50 [ 48.020376] do_signal+0x87/0x1940 [ 48.025544] exit_to_usermode_loop+0x244/0x2c0 [ 48.031755] do_syscall_64+0x52d/0x610 [ 48.037284] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 48.044101] SOFTIRQ-ON-W at: [ 48.047362] lock_acquire+0x16f/0x3f0 [ 48.052789] _raw_spin_lock+0x2f/0x40 [ 48.058216] userfaultfd_release+0x497/0x6d0 [ 48.064263] __fput+0x2df/0x8d0 [ 48.069183] ____fput+0x16/0x20 [ 48.074092] task_work_run+0x14a/0x1c0 [ 48.079616] do_exit+0x92c/0x2fd0 [ 48.084707] do_group_exit+0x135/0x370 [ 48.090236] get_signal+0x399/0x1d50 [ 48.095576] do_signal+0x87/0x1940 [ 48.100740] exit_to_usermode_loop+0x244/0x2c0 [ 48.106947] do_syscall_64+0x52d/0x610 [ 48.112468] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 48.119278] INITIAL USE at: [ 48.122448] lock_acquire+0x16f/0x3f0 [ 48.127789] _raw_spin_lock+0x2f/0x40 [ 48.133129] userfaultfd_read+0x540/0x1940 [ 48.138900] __vfs_read+0x116/0x8c0 [ 48.144069] vfs_read+0x194/0x3e0 [ 48.149092] ksys_read+0xea/0x1f0 [ 48.154087] __x64_sys_read+0x73/0xb0 [ 48.159427] do_syscall_64+0x103/0x610 [ 48.164854] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 48.171577] } [ 48.173361] ... key at: [] __key.44849+0x0/0x40 [ 48.180087] ... acquired at: [ 48.183167] mark_lock+0x427/0x1380 [ 48.186943] __lock_acquire+0xca5/0x4700 [ 48.191153] lock_acquire+0x16f/0x3f0 [ 48.195104] _raw_spin_lock+0x2f/0x40 [ 48.199087] userfaultfd_release+0x497/0x6d0 [ 48.203647] __fput+0x2df/0x8d0 [ 48.207092] ____fput+0x16/0x20 [ 48.210548] task_work_run+0x14a/0x1c0 [ 48.214612] do_exit+0x92c/0x2fd0 [ 48.218228] do_group_exit+0x135/0x370 [ 48.222294] get_signal+0x399/0x1d50 [ 48.226163] do_signal+0x87/0x1940 [ 48.229870] exit_to_usermode_loop+0x244/0x2c0 [ 48.234618] do_syscall_64+0x52d/0x610 [ 48.238658] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 48.244024] [ 48.245636] [ 48.245636] stack backtrace: [ 48.250108] CPU: 0 PID: 7770 Comm: syz-executor134 Not tainted 5.0.0-rc6+ #73 [ 48.257368] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 48.266693] Call Trace: [ 48.269257] dump_stack+0x172/0x1f0 [ 48.272887] print_irq_inversion_bug.part.0+0x2c0/0x2cd [ 48.278227] check_usage_backwards.cold+0x1d/0x26 [ 48.283046] ? print_shortest_lock_dependencies+0x90/0x90 [ 48.288577] ? save_stack_trace+0x1a/0x20 [ 48.292699] ? save_trace+0xe0/0x290 [ 48.296388] mark_lock+0x427/0x1380 [ 48.299998] ? print_shortest_lock_dependencies+0x90/0x90 [ 48.305517] __lock_acquire+0xca5/0x4700 [ 48.309554] ? depot_save_stack+0x1de/0x460 [ 48.313854] ? kasan_check_read+0x11/0x20 [ 48.317992] ? mark_held_locks+0x100/0x100 [ 48.322206] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 48.327289] ? depot_save_stack+0x1de/0x460 [ 48.331590] ? __lock_acquire+0x53b/0x4700 [ 48.335799] ? __lock_acquire+0x53b/0x4700 [ 48.340028] ? free_fs_struct+0x4f/0x70 [ 48.343998] ? do_exit+0x902/0x2fd0 [ 48.347618] lock_acquire+0x16f/0x3f0 [ 48.351408] ? userfaultfd_release+0x497/0x6d0 [ 48.355965] _raw_spin_lock+0x2f/0x40 [ 48.359751] ? userfaultfd_release+0x497/0x6d0 [ 48.364313] userfaultfd_release+0x497/0x6d0 [ 48.368699] ? userfaultfd_event_wait_completion+0xa50/0xa50 [ 48.374478] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 48.380007] ? ima_file_free+0xc9/0x4a0 [ 48.383956] ? __might_sleep+0x95/0x190 [ 48.387925] ? userfaultfd_event_wait_completion+0xa50/0xa50 [ 48.393700] __fput+0x2df/0x8d0 [ 48.396955] ____fput+0x16/0x20 [ 48.400218] task_work_run+0x14a/0x1c0 [ 48.404090] do_exit+0x92c/0x2fd0 [ 48.407523] ? get_signal+0x331/0x1d50 [ 48.411386] ? mm_update_next_owner+0x660/0x660 [ 48.416189] ? kasan_check_read+0x11/0x20 [ 48.420319] ? _raw_spin_unlock_irq+0x28/0x90 [ 48.424797] ? get_signal+0x331/0x1d50 [ 48.428666] ? _raw_spin_unlock_irq+0x28/0x90 [ 48.433140] do_group_exit+0x135/0x370 [ 48.437009] get_signal+0x399/0x1d50 [ 48.440700] ? __x64_sys_io_submit+0x31f/0x580 [ 48.445263] do_signal+0x87/0x1940 [ 48.448785] ? lock_downgrade+0x810/0x810 [ 48.452912] ? kasan_check_read+0x11/0x20 [ 48.457045] ? setup_sigcontext+0x7d0/0x7d0 [ 48.461346] ? exit_to_usermode_loop+0x43/0x2c0 [ 48.466001] ? do_syscall_64+0x52d/0x610 [ 48.470042] ? exit_to_usermode_loop+0x43/0x2c0 [ 48.474692] ? lockdep_hardirqs_on+0x415/0x5d0 [ 48.479253] ? trace_hardirqs_on+0x67/0x230 [ 48.483555] exit_to_usermode_loop+0x244/0x2c0 [ 48.488119] do_syscall_64+0x52d/0x610 [ 48.492011] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 48.497179] RIP: 0033:0x4457a9 [ 48.500355] Code: Bad RIP value. [ 48.503713] RSP: 002b:00007f0a66882db8 EFLAGS: 00000246 ORIG_RAX: 0