[ 33.045228] audit: type=1800 audit(1549112625.720:27): pid=7279 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [ 33.045251] audit: type=1800 audit(1549112625.730:28): pid=7279 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 33.961345] audit: type=1800 audit(1549112626.690:29): pid=7279 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 33.982182] audit: type=1800 audit(1549112626.690:30): pid=7279 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.233' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 44.881632] [ 44.883354] ======================================================== [ 44.889901] WARNING: possible irq lock inversion dependency detected [ 44.896384] 5.0.0-rc4+ #57 Not tainted [ 44.900249] -------------------------------------------------------- [ 44.906798] syz-executor353/7431 just changed the state of lock: [ 44.912930] 000000001cb2464b (&ctx->fault_pending_wqh){+.+.}, at: userfaultfd_release+0x497/0x6d0 [ 44.921933] but this lock was taken by another, SOFTIRQ-safe lock in the past: [ 44.929263] (&(&ctx->ctx_lock)->rlock){..-.} [ 44.929269] [ 44.929269] [ 44.929269] and interrupts could create inverse lock ordering between them. [ 44.929269] [ 44.945330] [ 44.945330] other info that might help us debug this: [ 44.951967] Chain exists of: [ 44.951967] &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh [ 44.951967] [ 44.964086] Possible interrupt unsafe locking scenario: [ 44.964086] [ 44.970992] CPU0 CPU1 [ 44.975636] ---- ---- [ 44.980338] lock(&ctx->fault_pending_wqh); [ 44.984810] local_irq_disable(); [ 44.990849] lock(&(&ctx->ctx_lock)->rlock); [ 44.997840] lock(&ctx->fd_wqh); [ 45.003789] [ 45.006525] lock(&(&ctx->ctx_lock)->rlock); [ 45.011171] [ 45.011171] *** DEADLOCK *** [ 45.011171] [ 45.017212] no locks held by syz-executor353/7431. [ 45.022115] [ 45.022115] the shortest dependencies between 2nd lock and 1st lock: [ 45.030062] -> (&(&ctx->ctx_lock)->rlock){..-.} { [ 45.035110] IN-SOFTIRQ-W at: [ 45.038556] lock_acquire+0x16f/0x3f0 [ 45.044332] _raw_spin_lock_irq+0x60/0x80 [ 45.050456] free_ioctx_users+0x2d/0x4a0 [ 45.056503] percpu_ref_switch_to_atomic_rcu+0x3e7/0x520 [ 45.063932] rcu_process_callbacks+0x928/0x1390 [ 45.070584] __do_softirq+0x266/0x95a [ 45.076363] irq_exit+0x180/0x1d0 [ 45.081794] smp_apic_timer_interrupt+0x14a/0x570 [ 45.088625] apic_timer_interrupt+0xf/0x20 [ 45.094837] native_safe_halt+0x2/0x10 [ 45.100709] arch_cpu_idle+0x10/0x20 [ 45.106399] default_idle_call+0x36/0x90 [ 45.112438] do_idle+0x386/0x570 [ 45.117787] cpu_startup_entry+0x1b/0x20 [ 45.123840] start_secondary+0x404/0x5c0 [ 45.129878] secondary_startup_64+0xa4/0xb0 [ 45.136171] INITIAL USE at: [ 45.139517] lock_acquire+0x16f/0x3f0 [ 45.145212] _raw_spin_lock_irq+0x60/0x80 [ 45.151311] io_submit_one+0xeb6/0x1cf0 [ 45.157183] __ia32_compat_sys_io_submit+0x1be/0x570 [ 45.164184] do_fast_syscall_32+0x281/0xc98 [ 45.170397] entry_SYSENTER_compat+0x70/0x7f [ 45.176756] } [ 45.178730] ... key at: [] __key.51972+0x0/0x40 [ 45.185633] ... acquired at: [ 45.188897] _raw_spin_lock+0x2f/0x40 [ 45.192850] io_submit_one+0xedf/0x1cf0 [ 45.196977] __ia32_compat_sys_io_submit+0x1be/0x570 [ 45.202233] do_fast_syscall_32+0x281/0xc98 [ 45.206706] entry_SYSENTER_compat+0x70/0x7f [ 45.211260] [ 45.212876] -> (&ctx->fd_wqh){....} { [ 45.216749] INITIAL USE at: [ 45.220008] lock_acquire+0x16f/0x3f0 [ 45.225532] _raw_spin_lock_irq+0x60/0x80 [ 45.231401] userfaultfd_read+0x27a/0x1940 [ 45.237351] __vfs_read+0x116/0x8c0 [ 45.242708] vfs_read+0x194/0x3e0 [ 45.247878] ksys_read+0xea/0x1f0 [ 45.253052] __ia32_sys_read+0x71/0xb0 [ 45.258658] do_fast_syscall_32+0x281/0xc98 [ 45.264704] entry_SYSENTER_compat+0x70/0x7f [ 45.270823] } [ 45.272693] ... key at: [] __key.44854+0x0/0x40 [ 45.279503] ... acquired at: [ 45.282676] _raw_spin_lock+0x2f/0x40 [ 45.286628] userfaultfd_read+0x540/0x1940 [ 45.291018] __vfs_read+0x116/0x8c0 [ 45.294845] vfs_read+0x194/0x3e0 [ 45.298457] ksys_read+0xea/0x1f0 [ 45.302065] __ia32_sys_read+0x71/0xb0 [ 45.306718] do_fast_syscall_32+0x281/0xc98 [ 45.311193] entry_SYSENTER_compat+0x70/0x7f [ 45.315748] [ 45.317359] -> (&ctx->fault_pending_wqh){+.+.} { [ 45.322096] HARDIRQ-ON-W at: [ 45.325355] lock_acquire+0x16f/0x3f0 [ 45.330787] _raw_spin_lock+0x2f/0x40 [ 45.336217] userfaultfd_release+0x497/0x6d0 [ 45.342270] __fput+0x2df/0x8d0 [ 45.347230] ____fput+0x16/0x20 [ 45.352160] task_work_run+0x14a/0x1c0 [ 45.357725] do_exit+0x92c/0x2db0 [ 45.362812] do_group_exit+0x135/0x370 [ 45.368331] __ia32_sys_exit_group+0x44/0x50 [ 45.374417] do_fast_syscall_32+0x281/0xc98 [ 45.380382] entry_SYSENTER_compat+0x70/0x7f [ 45.386414] SOFTIRQ-ON-W at: [ 45.389672] lock_acquire+0x16f/0x3f0 [ 45.395099] _raw_spin_lock+0x2f/0x40 [ 45.400535] userfaultfd_release+0x497/0x6d0 [ 45.406576] __fput+0x2df/0x8d0 [ 45.411486] ____fput+0x16/0x20 [ 45.416394] task_work_run+0x14a/0x1c0 [ 45.421961] do_exit+0x92c/0x2db0 [ 45.427049] do_group_exit+0x135/0x370 [ 45.432569] __ia32_sys_exit_group+0x44/0x50 [ 45.438654] do_fast_syscall_32+0x281/0xc98 [ 45.444613] entry_SYSENTER_compat+0x70/0x7f [ 45.450644] INITIAL USE at: [ 45.453816] lock_acquire+0x16f/0x3f0 [ 45.459170] _raw_spin_lock+0x2f/0x40 [ 45.464520] userfaultfd_read+0x540/0x1940 [ 45.470355] __vfs_read+0x116/0x8c0 [ 45.475536] vfs_read+0x194/0x3e0 [ 45.480555] ksys_read+0xea/0x1f0 [ 45.485559] __ia32_sys_read+0x71/0xb0 [ 45.490990] do_fast_syscall_32+0x281/0xc98 [ 45.496855] entry_SYSENTER_compat+0x70/0x7f [ 45.502800] } [ 45.504591] ... key at: [] __key.44851+0x0/0x40 [ 45.511316] ... acquired at: [ 45.514546] mark_lock+0x427/0x1380 [ 45.518335] __lock_acquire+0xca5/0x4700 [ 45.522547] lock_acquire+0x16f/0x3f0 [ 45.526553] _raw_spin_lock+0x2f/0x40 [ 45.530511] userfaultfd_release+0x497/0x6d0 [ 45.535070] __fput+0x2df/0x8d0 [ 45.538498] ____fput+0x16/0x20 [ 45.541935] task_work_run+0x14a/0x1c0 [ 45.545972] do_exit+0x92c/0x2db0 [ 45.549584] do_group_exit+0x135/0x370 [ 45.553628] __ia32_sys_exit_group+0x44/0x50 [ 45.558576] do_fast_syscall_32+0x281/0xc98 [ 45.563177] entry_SYSENTER_compat+0x70/0x7f [ 45.567777] [ 45.569388] [ 45.569388] stack backtrace: [ 45.573988] CPU: 1 PID: 7431 Comm: syz-executor353 Not tainted 5.0.0-rc4+ #57 [ 45.581657] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.590988] Call Trace: [ 45.593556] dump_stack+0x172/0x1f0 [ 45.597164] print_irq_inversion_bug.part.0+0x2c0/0x2cd [ 45.602571] check_usage_backwards.cold+0x1d/0x26 [ 45.607437] ? print_shortest_lock_dependencies+0x90/0x90 [ 45.613068] ? save_stack_trace+0x1a/0x20 [ 45.617194] ? save_trace+0xe0/0x290 [ 45.621057] mark_lock+0x427/0x1380 [ 45.624663] ? print_shortest_lock_dependencies+0x90/0x90 [ 45.630180] __lock_acquire+0xca5/0x4700 [ 45.634218] ? depot_save_stack+0x1de/0x460 [ 45.638526] ? kasan_check_read+0x11/0x20 [ 45.642673] ? mark_held_locks+0x100/0x100 [ 45.646886] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 45.652009] ? depot_save_stack+0x1de/0x460 [ 45.656325] ? __lock_acquire+0x53b/0x4700 [ 45.660534] ? __lock_acquire+0x53b/0x4700 [ 45.664745] ? free_fs_struct+0x4f/0x70 [ 45.668700] ? do_exit+0x902/0x2db0 [ 45.673124] lock_acquire+0x16f/0x3f0 [ 45.676906] ? userfaultfd_release+0x497/0x6d0 [ 45.681466] _raw_spin_lock+0x2f/0x40 [ 45.685245] ? userfaultfd_release+0x497/0x6d0 [ 45.689923] userfaultfd_release+0x497/0x6d0 [ 45.694315] ? userfaultfd_event_wait_completion+0xa50/0xa50 [ 45.700198] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 45.705878] ? ima_file_free+0xc9/0x4a0 [ 45.709830] ? __might_sleep+0x95/0x190 [ 45.713781] ? userfaultfd_event_wait_completion+0xa50/0xa50 [ 45.719563] __fput+0x2df/0x8d0 [ 45.722937] ____fput+0x16/0x20 [ 45.726205] task_work_run+0x14a/0x1c0 [ 45.730078] do_exit+0x92c/0x2db0 [ 45.733519] ? mm_update_next_owner+0x660/0x660 [ 45.738168] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 45.743687] ? __ia32_compat_sys_io_submit+0x356/0x570 [ 45.748941] ? __ia32_sys_io_submit+0x560/0x560 [ 45.753592] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 45.758329] do_group_exit+0x135/0x370 [ 45.762194] __ia32_sys_exit_group+0x44/0x50 [ 45.766582] do_fast_syscall_32+0x281/0xc98 [ 45.770879] entry_SYSENTER_compat+0x70/0x7f [ 45.775262] RIP: 0023:0xf7f85869 [ 45.778609] Code: Bad RIP value. [ 45.781950] RSP: 002b:00000000ffb5dd9c E