[ 37.999863] audit: type=1800 audit(1549701604.332:32): pid=7572 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 38.855873] audit: type=1800 audit(1549701605.272:33): pid=7572 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.210' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 47.455558] kauditd_printk_skb: 2 callbacks suppressed [ 47.455571] audit: type=1400 audit(1549701613.872:36): avc: denied { map } for pid=7760 comm="syz-executor666" path="/root/syz-executor666200132" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 47.818803] [ 47.820448] ======================================================== [ 47.826916] WARNING: possible irq lock inversion dependency detected [ 47.833382] 5.0.0-rc5+ #64 Not tainted [ 47.837251] -------------------------------------------------------- [ 47.843726] syz-executor666/7762 just changed the state of lock: [ 47.849845] 00000000500f4194 (&ctx->fault_pending_wqh){+.+.}, at: userfaultfd_release+0x497/0x6d0 [ 47.858845] but this lock was taken by another, SOFTIRQ-safe lock in the past: [ 47.866187] (&(&ctx->ctx_lock)->rlock){..-.} [ 47.866193] [ 47.866193] [ 47.866193] and interrupts could create inverse lock ordering between them. [ 47.866193] [ 47.882153] [ 47.882153] other info that might help us debug this: [ 47.888792] Chain exists of: [ 47.888792] &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh [ 47.888792] [ 47.900916] Possible interrupt unsafe locking scenario: [ 47.900916] [ 47.907814] CPU0 CPU1 [ 47.912456] ---- ---- [ 47.917095] lock(&ctx->fault_pending_wqh); [ 47.921489] local_irq_disable(); [ 47.927522] lock(&(&ctx->ctx_lock)->rlock); [ 47.934509] lock(&ctx->fd_wqh); [ 47.940454] [ 47.943186] lock(&(&ctx->ctx_lock)->rlock); [ 47.947827] [ 47.947827] *** DEADLOCK *** [ 47.947827] [ 47.953860] no locks held by syz-executor666/7762. [ 47.958760] [ 47.958760] the shortest dependencies between 2nd lock and 1st lock: [ 47.966702] -> (&(&ctx->ctx_lock)->rlock){..-.} { [ 47.971694] IN-SOFTIRQ-W at: [ 47.975126] lock_acquire+0x16f/0x3f0 [ 47.980898] _raw_spin_lock_irq+0x60/0x80 [ 47.987025] free_ioctx_users+0x2d/0x4a0 [ 47.993149] percpu_ref_switch_to_atomic_rcu+0x3e7/0x520 [ 48.000573] rcu_process_callbacks+0x928/0x1390 [ 48.007252] __do_softirq+0x266/0x95a [ 48.013052] irq_exit+0x180/0x1d0 [ 48.018482] smp_apic_timer_interrupt+0x14a/0x570 [ 48.025301] apic_timer_interrupt+0xf/0x20 [ 48.031510] native_safe_halt+0x2/0x10 [ 48.037374] arch_cpu_idle+0x10/0x20 [ 48.043080] default_idle_call+0x36/0x90 [ 48.049117] do_idle+0x386/0x570 [ 48.054455] cpu_startup_entry+0x1b/0x20 [ 48.060490] rest_init+0x245/0x37b [ 48.066013] arch_call_rest_init+0xe/0x1b [ 48.072135] start_kernel+0x808/0x841 [ 48.077911] x86_64_start_reservations+0x29/0x2b [ 48.084640] x86_64_start_kernel+0x77/0x7b [ 48.090848] secondary_startup_64+0xa4/0xb0 [ 48.097138] INITIAL USE at: [ 48.100482] lock_acquire+0x16f/0x3f0 [ 48.106182] _raw_spin_lock_irq+0x60/0x80 [ 48.112218] io_submit_one+0xeb6/0x1cf0 [ 48.118076] __x64_sys_io_submit+0x1bd/0x580 [ 48.124385] do_syscall_64+0x103/0x610 [ 48.130162] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 48.137234] } [ 48.139194] ... key at: [] __key.51970+0x0/0x40 [ 48.146092] ... acquired at: [ 48.149347] _raw_spin_lock+0x2f/0x40 [ 48.153301] io_submit_one+0xedf/0x1cf0 [ 48.157427] __x64_sys_io_submit+0x1bd/0x580 [ 48.161985] do_syscall_64+0x103/0x610 [ 48.166026] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 48.171362] [ 48.172963] -> (&ctx->fd_wqh){....} { [ 48.176830] INITIAL USE at: [ 48.180094] lock_acquire+0x16f/0x3f0 [ 48.185609] _raw_spin_lock_irq+0x60/0x80 [ 48.191473] userfaultfd_read+0x27a/0x1940 [ 48.197428] __vfs_read+0x116/0x8c0 [ 48.202771] vfs_read+0x194/0x3e0 [ 48.207937] ksys_read+0xea/0x1f0 [ 48.213101] __x64_sys_read+0x73/0xb0 [ 48.218616] do_syscall_64+0x103/0x610 [ 48.224218] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 48.231117] } [ 48.232987] ... key at: [] __key.44852+0x0/0x40 [ 48.239803] ... acquired at: [ 48.242973] _raw_spin_lock+0x2f/0x40 [ 48.246936] userfaultfd_read+0x540/0x1940 [ 48.251337] __vfs_read+0x116/0x8c0 [ 48.255115] vfs_read+0x194/0x3e0 [ 48.258718] ksys_read+0xea/0x1f0 [ 48.262321] __x64_sys_read+0x73/0xb0 [ 48.266307] do_syscall_64+0x103/0x610 [ 48.270365] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 48.275722] [ 48.277333] -> (&ctx->fault_pending_wqh){+.+.} { [ 48.282065] HARDIRQ-ON-W at: [ 48.285321] lock_acquire+0x16f/0x3f0 [ 48.290747] _raw_spin_lock+0x2f/0x40 [ 48.296176] userfaultfd_release+0x497/0x6d0 [ 48.302211] __fput+0x2df/0x8d0 [ 48.307115] ____fput+0x16/0x20 [ 48.312022] task_work_run+0x14a/0x1c0 [ 48.317534] do_exit+0x92c/0x2fd0 [ 48.322622] do_group_exit+0x135/0x370 [ 48.328134] get_signal+0x35c/0x1d60 [ 48.333483] do_signal+0x87/0x1940 [ 48.338662] exit_to_usermode_loop+0x244/0x2c0 [ 48.344968] do_syscall_64+0x52d/0x610 [ 48.350486] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 48.357299] SOFTIRQ-ON-W at: [ 48.360554] lock_acquire+0x16f/0x3f0 [ 48.365977] _raw_spin_lock+0x2f/0x40 [ 48.371411] userfaultfd_release+0x497/0x6d0 [ 48.377443] __fput+0x2df/0x8d0 [ 48.382355] ____fput+0x16/0x20 [ 48.387259] task_work_run+0x14a/0x1c0 [ 48.392774] do_exit+0x92c/0x2fd0 [ 48.397850] do_group_exit+0x135/0x370 [ 48.403362] get_signal+0x35c/0x1d60 [ 48.408700] do_signal+0x87/0x1940 [ 48.413869] exit_to_usermode_loop+0x244/0x2c0 [ 48.420074] do_syscall_64+0x52d/0x610 [ 48.425589] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 48.432397] INITIAL USE at: [ 48.435568] lock_acquire+0x16f/0x3f0 [ 48.440905] _raw_spin_lock+0x2f/0x40 [ 48.446333] userfaultfd_read+0x540/0x1940 [ 48.452107] __vfs_read+0x116/0x8c0 [ 48.457286] vfs_read+0x194/0x3e0 [ 48.462302] ksys_read+0xea/0x1f0 [ 48.467296] __x64_sys_read+0x73/0xb0 [ 48.472808] do_syscall_64+0x103/0x610 [ 48.478255] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 48.484995] } [ 48.486788] ... key at: [] __key.44849+0x0/0x40 [ 48.493514] ... acquired at: [ 48.496596] mark_lock+0x427/0x1380 [ 48.500371] __lock_acquire+0xca5/0x4700 [ 48.504580] lock_acquire+0x16f/0x3f0 [ 48.508529] _raw_spin_lock+0x2f/0x40 [ 48.512478] userfaultfd_release+0x497/0x6d0 [ 48.517034] __fput+0x2df/0x8d0 [ 48.520465] ____fput+0x16/0x20 [ 48.523896] task_work_run+0x14a/0x1c0 [ 48.527936] do_exit+0x92c/0x2fd0 [ 48.531538] do_group_exit+0x135/0x370 [ 48.535577] get_signal+0x35c/0x1d60 [ 48.539443] do_signal+0x87/0x1940 [ 48.543133] exit_to_usermode_loop+0x244/0x2c0 [ 48.548036] do_syscall_64+0x52d/0x610 [ 48.552088] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 48.557424] [ 48.559028] [ 48.559028] stack backtrace: [ 48.563502] CPU: 0 PID: 7762 Comm: syz-executor666 Not tainted 5.0.0-rc5+ #64 [ 48.570748] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 48.580075] Call Trace: [ 48.582643] dump_stack+0x172/0x1f0 [ 48.586252] print_irq_inversion_bug.part.0+0x2c0/0x2cd [ 48.591605] check_usage_backwards.cold+0x1d/0x26 [ 48.596427] ? print_shortest_lock_dependencies+0x90/0x90 [ 48.601952] ? save_stack_trace+0x1a/0x20 [ 48.606082] ? save_trace+0xe0/0x290 [ 48.609776] mark_lock+0x427/0x1380 [ 48.613400] ? print_shortest_lock_dependencies+0x90/0x90 [ 48.618918] __lock_acquire+0xca5/0x4700 [ 48.622959] ? is_bpf_text_address+0xd3/0x170 [ 48.627438] ? kernel_text_address+0x73/0xf0 [ 48.631824] ? mark_held_locks+0x100/0x100 [ 48.636043] ? __lock_acquire+0x53b/0x4700 [ 48.640256] ? __lock_acquire+0x53b/0x4700 [ 48.644468] ? free_fs_struct+0x4f/0x70 [ 48.648416] ? do_exit+0x902/0x2fd0 [ 48.652020] lock_acquire+0x16f/0x3f0 [ 48.655800] ? userfaultfd_release+0x497/0x6d0 [ 48.660360] _raw_spin_lock+0x2f/0x40 [ 48.664140] ? userfaultfd_release+0x497/0x6d0 [ 48.668698] userfaultfd_release+0x497/0x6d0 [ 48.673087] ? userfaultfd_event_wait_completion+0xa50/0xa50 [ 48.678861] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 48.684387] ? ima_file_free+0xc9/0x4a0 [ 48.688337] ? __might_sleep+0x95/0x190 [ 48.692306] ? userfaultfd_event_wait_completion+0xa50/0xa50 [ 48.698077] __fput+0x2df/0x8d0 [ 48.701333] ____fput+0x16/0x20 [ 48.704588] task_work_run+0x14a/0x1c0 [ 48.708451] do_exit+0x92c/0x2fd0 [ 48.711883] ? get_signal+0x2f2/0x1d60 [ 48.715753] ? mm_update_next_owner+0x660/0x660 [ 48.720403] ? kasan_check_read+0x11/0x20 [ 48.724528] ? _raw_spin_unlock_irq+0x28/0x90 [ 48.728997] ? get_signal+0x2f2/0x1d60 [ 48.732872] ? _raw_spin_unlock_irq+0x28/0x90 [ 48.737354] do_group_exit+0x135/0x370 [ 48.741216] get_signal+0x35c/0x1d60 [ 48.744910] ? __x64_sys_io_submit+0x31f/0x580 [ 48.749471] do_signal+0x87/0x1940 [ 48.752990] ? lock_downgrade+0x810/0x810 [ 48.757115] ? kasan_check_read+0x11/0x20 [ 48.761260] ? setup_sigcontext+0x7d0/0x7d0 [ 48.765659] ? exit_to_usermode_loop+0x43/0x2c0 [ 48.770302] ? do_syscall_64+0x52d/0x610 [ 48.774340] ? exit_to_usermode_loop+0x43/0x2c0 [ 48.778996] ? lockdep_hardirqs_on+0x415/0x5d0 [ 48.783556] ? trace_hardirqs_on+0x67/0x230 [ 48.787858] exit_to_usermode_loop+0x244/0x2c0 [ 48.792460] do_syscall_64+0x52d/0x610 [ 48.796327] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 48.801500] RIP: 0033:0x4457e9 [ 48.804675] Code: Bad RIP value. [ 48.808017] RSP: 002b:00007f4ad2046db8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 48.815714] RAX: fffffffffffffe00 RBX: 00000000006dac58 RCX: 00000000004457e9 [