[ 38.733464][ T26] audit: type=1800 audit(1554776904.838:25): pid=7797 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 38.777198][ T26] audit: type=1800 audit(1554776904.848:26): pid=7797 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 38.801738][ T26] audit: type=1800 audit(1554776904.848:27): pid=7797 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] startpar: service(s) returned failure: ssh ...[?25l[?1c7[FAIL8[?25h[?0c failed! Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.1' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 49.515795][ T7973] [ 49.518163][ T7973] ======================================================== [ 49.525333][ T7973] WARNING: possible irq lock inversion dependency detected [ 49.532501][ T7973] 5.1.0-rc3-next-20190408 #20 Not tainted [ 49.538209][ T7973] -------------------------------------------------------- [ 49.545376][ T7973] syz-executor195/7973 just changed the state of lock: [ 49.552194][ T7973] 00000000735b6adf (&ctx->fault_pending_wqh){+.+.}, at: userfaultfd_release+0x4ca/0x710 [ 49.561896][ T7973] but this lock was taken by another, SOFTIRQ-safe lock in the past: [ 49.569930][ T7973] (&(&ctx->ctx_lock)->rlock){..-.} [ 49.569938][ T7973] [ 49.569938][ T7973] [ 49.569938][ T7973] and interrupts could create inverse lock ordering between them. [ 49.569938][ T7973] [ 49.589391][ T7973] [ 49.589391][ T7973] other info that might help us debug this: [ 49.597433][ T7973] Chain exists of: [ 49.597433][ T7973] &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh [ 49.597433][ T7973] [ 49.611651][ T7973] Possible interrupt unsafe locking scenario: [ 49.611651][ T7973] [ 49.619956][ T7973] CPU0 CPU1 [ 49.625422][ T7973] ---- ---- [ 49.630777][ T7973] lock(&ctx->fault_pending_wqh); [ 49.635881][ T7973] local_irq_disable(); [ 49.642612][ T7973] lock(&(&ctx->ctx_lock)->rlock); [ 49.650304][ T7973] lock(&ctx->fd_wqh); [ 49.656952][ T7973] [ 49.660383][ T7973] lock(&(&ctx->ctx_lock)->rlock); [ 49.665730][ T7973] [ 49.665730][ T7973] *** DEADLOCK *** [ 49.665730][ T7973] [ 49.673902][ T7973] no locks held by syz-executor195/7973. [ 49.679526][ T7973] [ 49.679526][ T7973] the shortest dependencies between 2nd lock and 1st lock: [ 49.688889][ T7973] -> (&(&ctx->ctx_lock)->rlock){..-.} { [ 49.694587][ T7973] IN-SOFTIRQ-W at: [ 49.698724][ T7973] lock_acquire+0x16f/0x3f0 [ 49.705206][ T7973] _raw_spin_lock_irq+0x60/0x80 [ 49.712058][ T7973] free_ioctx_users+0x2d/0x4a0 [ 49.718806][ T7973] percpu_ref_switch_to_atomic_rcu+0x3e7/0x520 [ 49.726945][ T7973] rcu_core+0x985/0x1410 [ 49.733191][ T7973] __do_softirq+0x266/0x95a [ 49.739679][ T7973] irq_exit+0x180/0x1d0 [ 49.745821][ T7973] smp_apic_timer_interrupt+0x14a/0x570 [ 49.753345][ T7973] apic_timer_interrupt+0xf/0x20 [ 49.760257][ T7973] native_safe_halt+0x2/0x10 [ 49.766828][ T7973] arch_cpu_idle+0x10/0x20 [ 49.773222][ T7973] default_idle_call+0x36/0x90 [ 49.779960][ T7973] do_idle+0x386/0x570 [ 49.786004][ T7973] cpu_startup_entry+0x1b/0x20 [ 49.792740][ T7973] rest_init+0x245/0x37b [ 49.798955][ T7973] arch_call_rest_init+0xe/0x1b [ 49.805784][ T7973] start_kernel+0x816/0x84f [ 49.812289][ T7973] x86_64_start_reservations+0x29/0x2b [ 49.819726][ T7973] x86_64_start_kernel+0x77/0x7b [ 49.826640][ T7973] secondary_startup_64+0xa4/0xb0 [ 49.833629][ T7973] INITIAL USE at: [ 49.837674][ T7973] lock_acquire+0x16f/0x3f0 [ 49.844072][ T7973] _raw_spin_lock_irq+0x60/0x80 [ 49.850828][ T7973] io_submit_one+0xae2/0x2f40 [ 49.858160][ T7973] __x64_sys_io_submit+0x1bd/0x580 [ 49.865159][ T7973] do_syscall_64+0x103/0x610 [ 49.871652][ T7973] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 49.879459][ T7973] } [ 49.882117][ T7973] ... key at: [] __key.52858+0x0/0x40 [ 49.889716][ T7973] ... acquired at: [ 49.893677][ T7973] lock_acquire+0x16f/0x3f0 [ 49.898326][ T7973] _raw_spin_lock+0x2f/0x40 [ 49.903017][ T7973] io_submit_one+0xb27/0x2f40 [ 49.907843][ T7973] __x64_sys_io_submit+0x1bd/0x580 [ 49.913126][ T7973] do_syscall_64+0x103/0x610 [ 49.917885][ T7973] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 49.924054][ T7973] [ 49.926355][ T7973] -> (&ctx->fd_wqh){....} { [ 49.930930][ T7973] INITIAL USE at: [ 49.934892][ T7973] lock_acquire+0x16f/0x3f0 [ 49.941107][ T7973] _raw_spin_lock_irq+0x60/0x80 [ 49.947673][ T7973] userfaultfd_read+0x27a/0x1940 [ 49.954344][ T7973] __vfs_read+0x8d/0x110 [ 49.960325][ T7973] vfs_read+0x194/0x3e0 [ 49.966282][ T7973] ksys_read+0x14f/0x2d0 [ 49.972234][ T7973] __x64_sys_read+0x73/0xb0 [ 49.978452][ T7973] do_syscall_64+0x103/0x610 [ 49.984769][ T7973] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 49.992367][ T7973] } [ 49.994935][ T7973] ... key at: [] __key.45741+0x0/0x40 [ 50.002450][ T7973] ... acquired at: [ 50.006322][ T7973] lock_acquire+0x16f/0x3f0 [ 50.010974][ T7973] _raw_spin_lock+0x2f/0x40 [ 50.015646][ T7973] userfaultfd_read+0x540/0x1940 [ 50.020761][ T7973] __vfs_read+0x8d/0x110 [ 50.025155][ T7973] vfs_read+0x194/0x3e0 [ 50.029488][ T7973] ksys_read+0x14f/0x2d0 [ 50.033896][ T7973] __x64_sys_read+0x73/0xb0 [ 50.038561][ T7973] do_syscall_64+0x103/0x610 [ 50.043300][ T7973] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.049336][ T7973] [ 50.051771][ T7973] -> (&ctx->fault_pending_wqh){+.+.} { [ 50.057203][ T7973] HARDIRQ-ON-W at: [ 50.061165][ T7973] lock_acquire+0x16f/0x3f0 [ 50.067311][ T7973] _raw_spin_lock+0x2f/0x40 [ 50.073449][ T7973] userfaultfd_release+0x4ca/0x710 [ 50.080195][ T7973] __fput+0x2e5/0x8d0 [ 50.085800][ T7973] ____fput+0x16/0x20 [ 50.091408][ T7973] task_work_run+0x14a/0x1c0 [ 50.097625][ T7973] do_exit+0x90a/0x2fa0 [ 50.103405][ T7973] do_group_exit+0x135/0x370 [ 50.109641][ T7973] get_signal+0x399/0x1d50 [ 50.115682][ T7973] do_signal+0x87/0x1940 [ 50.121548][ T7973] exit_to_usermode_loop+0x244/0x2c0 [ 50.128505][ T7973] do_syscall_64+0x52d/0x610 [ 50.134721][ T7973] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.142245][ T7973] SOFTIRQ-ON-W at: [ 50.146225][ T7973] lock_acquire+0x16f/0x3f0 [ 50.152367][ T7973] _raw_spin_lock+0x2f/0x40 [ 50.158509][ T7973] userfaultfd_release+0x4ca/0x710 [ 50.165247][ T7973] __fput+0x2e5/0x8d0 [ 50.170854][ T7973] ____fput+0x16/0x20 [ 50.176817][ T7973] task_work_run+0x14a/0x1c0 [ 50.183037][ T7973] do_exit+0x90a/0x2fa0 [ 50.188817][ T7973] do_group_exit+0x135/0x370 [ 50.195033][ T7973] get_signal+0x399/0x1d50 [ 50.201074][ T7973] do_signal+0x87/0x1940 [ 50.206947][ T7973] exit_to_usermode_loop+0x244/0x2c0 [ 50.213860][ T7973] do_syscall_64+0x52d/0x610 [ 50.220073][ T7973] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.227589][ T7973] INITIAL USE at: [ 50.231464][ T7973] lock_acquire+0x16f/0x3f0 [ 50.237514][ T7973] _raw_spin_lock+0x2f/0x40 [ 50.243566][ T7973] userfaultfd_read+0x540/0x1940 [ 50.250043][ T7973] __vfs_read+0x8d/0x110 [ 50.255828][ T7973] vfs_read+0x194/0x3e0 [ 50.261547][ T7973] ksys_read+0x14f/0x2d0 [ 50.267332][ T7973] __x64_sys_read+0x73/0xb0 [ 50.273379][ T7973] do_syscall_64+0x103/0x610 [ 50.279508][ T7973] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.286961][ T7973] } [ 50.289452][ T7973] ... key at: [] __key.45738+0x0/0x40 [ 50.296895][ T7973] ... acquired at: [ 50.300885][ T7973] mark_lock+0x427/0x1380 [ 50.305384][ T7973] __lock_acquire+0x1317/0x3fb0 [ 50.310383][ T7973] lock_acquire+0x16f/0x3f0 [ 50.315033][ T7973] _raw_spin_lock+0x2f/0x40 [ 50.319686][ T7973] userfaultfd_release+0x4ca/0x710 [ 50.324953][ T7973] __fput+0x2e5/0x8d0 [ 50.329093][ T7973] ____fput+0x16/0x20 [ 50.333227][ T7973] task_work_run+0x14a/0x1c0 [ 50.337968][ T7973] do_exit+0x90a/0x2fa0 [ 50.342273][ T7973] do_group_exit+0x135/0x370 [ 50.347013][ T7973] get_signal+0x399/0x1d50 [ 50.351577][ T7973] do_signal+0x87/0x1940 [ 50.355970][ T7973] exit_to_usermode_loop+0x244/0x2c0 [ 50.361402][ T7973] do_syscall_64+0x52d/0x610 [ 50.366146][ T7973] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.372189][ T7973] [ 50.374490][ T7973] [ 50.374490][ T7973] stack backtrace: [ 50.380361][ T7973] CPU: 0 PID: 7973 Comm: syz-executor195 Not tainted 5.1.0-rc3-next-20190408 #20 [ 50.389437][ T7973] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 50.399666][ T7973] Call Trace: [ 50.402950][ T7973] dump_stack+0x172/0x1f0 [ 50.407272][ T7973] print_irq_inversion_bug.part.0+0x2c0/0x2cd [ 50.413315][ T7973] check_usage_backwards.cold+0x1d/0x26 [ 50.418854][ T7973] ? print_shortest_lock_dependencies+0x90/0x90 [ 50.425102][ T7973] ? save_stack_trace+0x1a/0x20 [ 50.429936][ T7973] mark_lock+0x427/0x1380 [ 50.434274][ T7973] ? print_shortest_lock_dependencies+0x90/0x90 [ 50.440494][ T7973] __lock_acquire+0x1317/0x3fb0 [ 50.445331][ T7973] ? trace_hardirqs_off+0x62/0x220 [ 50.450435][ T7973] ? kasan_check_read+0x11/0x20 [ 50.455275][ T7973] ? mark_held_locks+0xf0/0xf0 [ 50.460014][ T7973] ? save_stack+0xa9/0xd0 [ 50.464321][ T7973] ? save_stack+0x45/0xd0 [ 50.468626][ T7973] ? __kasan_slab_free+0x102/0x150 [ 50.473740][ T7973] ? kasan_slab_free+0xe/0x10 [ 50.478418][ T7973] ? kmem_cache_free+0x86/0x260 [ 50.483260][ T7973] ? free_fs_struct+0x4f/0x70 [ 50.487916][ T7973] ? exit_fs+0xf0/0x130 [ 50.492052][ T7973] lock_acquire+0x16f/0x3f0 [ 50.496534][ T7973] ? userfaultfd_release+0x4ca/0x710 [ 50.501797][ T7973] _raw_spin_lock+0x2f/0x40 [ 50.506285][ T7973] ? userfaultfd_release+0x4ca/0x710 [ 50.511555][ T7973] userfaultfd_release+0x4ca/0x710 [ 50.516645][ T7973] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 50.522427][ T7973] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 50.528645][ T7973] ? ima_file_free+0xc9/0x4a0 [ 50.533296][ T7973] ? __might_sleep+0x95/0x190 [ 50.537953][ T7973] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 50.543746][ T7973] __fput+0x2e5/0x8d0 [ 50.547792][ T7973] ____fput+0x16/0x20 [ 50.551752][ T7973] task_work_run+0x14a/0x1c0 [ 50.556332][ T7973] do_exit+0x90a/0x2fa0 [ 50.560468][ T7973] ? get_signal+0x331/0x1d50 [ 50.565034][ T7973] ? mm_update_next_owner+0x640/0x640 [ 50.570396][ T7973] ? kasan_check_write+0x14/0x20 [ 50.575333][ T7973] ? _raw_spin_unlock_irq+0x28/0x90 [ 50.580508][ T7973] ? get_signal+0x331/0x1d50 [ 50.585086][ T7973] ? _raw_spin_unlock_irq+0x28/0x90 [ 50.590260][ T7973] do_group_exit+0x135/0x370 [ 50.594827][ T7973] get_signal+0x399/0x1d50 [ 50.599255][ T7973] ? __x64_sys_io_submit+0x31f/0x580 [ 50.604521][ T7973] do_signal+0x87/0x1940 [ 50.608739][ T7973] ? lock_downgrade+0x880/0x880 [ 50.613568][ T7973] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 50.619831][ T7973] ? kasan_check_read+0x11/0x20 [ 50.624662][ T7973] ? setup_sigcontext+0x7d0/0x7d0 [ 50.629664][ T7973] ? exit_to_usermode_loop+0x43/0x2c0 [ 50.635012][ T7973] ? do_syscall_64+0x52d/0x610 [ 50.639751][ T7973] ? exit_to_usermode_loop+0x43/0x2c0 [ 50.645122][ T7973] ? lockdep_hardirqs_on+0x418/0x5d0 [ 50.650384][ T7973] ? trace_hardirqs_on+0x67/0x230 [ 50.655387][ T7973] exit_to_usermode_loop+0x244/0x2c0 [ 50.660652][ T7973] do_syscall_64+0x52d/0x610 [ 50.665222][ T7973] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.671107][ T7973] RIP: 0033:0x4458d9 [ 50.674985][ T7973] Code: Bad RIP value. [ 50.679128][ T7973] RSP: 002b:00007f97707badb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 50.687639][ T7973] RAX: fffffffffffffe00 RBX: 00000000006dac58 RCX: 00000000004458d9 [ 50.695589][ T7973] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dac58 [ 50.703541][ T7973] RBP: 00000000006dac50 R08: 0000000000000000 R09: 0000000000000000 [ 50.711489][ T7973] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac5c [ 50.719447][ T7973