[ 37.482978][ T26] audit: type=1800 audit(1553809911.855:27): pid=7589 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[ 37.511584][ T26] audit: type=1800 audit(1553809911.855:28): pid=7589 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0
[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[ 38.453126][ T26] audit: type=1800 audit(1553809912.885:29): pid=7589 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0
[ 38.473636][ T26] audit: type=1800 audit(1553809912.885:30): pid=7589 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0
Debian GNU/Linux 7 syzkaller ttyS0
Warning: Permanently added '10.128.0.104' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [ 48.344428][ T7743]
[ 48.346780][ T7743] ========================================================
[ 48.353947][ T7743] WARNING: possible irq lock inversion dependency detected
[ 48.361114][ T7743] 5.1.0-rc2-next-20190328 #13 Not tainted
[ 48.366800][ T7743] --------------------------------------------------------
[ 48.373966][ T7743] syz-executor687/7743 just changed the state of lock:
[ 48.380779][ T7743] 000000002da71473 (&ctx->fault_pending_wqh){+.+.}, at: userfaultfd_release+0x48e/0x6d0
[ 48.390475][ T7743] but this lock was taken by another, SOFTIRQ-safe lock in the past:
[ 48.398530][ T7743] (&(&ctx->ctx_lock)->rlock){..-.}
[ 48.398537][ T7743]
[ 48.398537][ T7743]
[ 48.398537][ T7743] and interrupts could create inverse lock ordering between them.
[ 48.398537][ T7743]
[ 48.418027][ T7743]
[ 48.418027][ T7743] other info that might help us debug this:
[ 48.426076][ T7743] Chain exists of:
[ 48.426076][ T7743] &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh
[ 48.426076][ T7743]
[ 48.441267][ T7743] Possible interrupt unsafe locking scenario:
[ 48.441267][ T7743]
[ 48.449570][ T7743] CPU0 CPU1
[ 48.454912][ T7743] ---- ----
[ 48.460249][ T7743] lock(&ctx->fault_pending_wqh);
[ 48.465332][ T7743] local_irq_disable();
[ 48.472066][ T7743] lock(&(&ctx->ctx_lock)->rlock);
[ 48.480124][ T7743] lock(&ctx->fd_wqh);
[ 48.486787][ T7743] <Interrupt>
[ 48.490220][ T7743] lock(&(&ctx->ctx_lock)->rlock);
[ 48.495562][ T7743]
[ 48.495562][ T7743] *** DEADLOCK ***
[ 48.495562][ T7743]
[ 48.503701][ T7743] no locks held by syz-executor687/7743.
[ 48.509303][ T7743]
[ 48.509303][ T7743] the shortest dependencies between 2nd lock and 1st lock:
[ 48.518649][ T7743] -> (&(&ctx->ctx_lock)->rlock){..-.} {
[ 48.524344][ T7743] IN-SOFTIRQ-W at:
[ 48.528499][ T7743] lock_acquire+0x16f/0x3f0
[ 48.534981][ T7743] _raw_spin_lock_irq+0x60/0x80
[ 48.541805][ T7743] free_ioctx_users+0x2d/0x4a0
[ 48.548557][ T7743] percpu_ref_switch_to_atomic_rcu+0x3e7/0x520
[ 48.556706][ T7743] rcu_core+0x928/0x1390
[ 48.562923][ T7743] __do_softirq+0x266/0x95a
[ 48.569406][ T7743] irq_exit+0x180/0x1d0
[ 48.575538][ T7743] smp_apic_timer_interrupt+0x14a/0x570
[ 48.583057][ T7743] apic_timer_interrupt+0xf/0x20
[ 48.589985][ T7743] native_safe_halt+0x2/0x10
[ 48.596551][ T7743] arch_cpu_idle+0x10/0x20
[ 48.602940][ T7743] default_idle_call+0x36/0x90
[ 48.609681][ T7743] do_idle+0x386/0x570
[ 48.615726][ T7743] cpu_startup_entry+0x1b/0x20
[ 48.622485][ T7743] rest_init+0x245/0x37b
[ 48.628701][ T7743] arch_call_rest_init+0xe/0x1b
[ 48.635524][ T7743] start_kernel+0x816/0x84f
[ 48.642020][ T7743] x86_64_start_reservations+0x29/0x2b
[ 48.649466][ T7743] x86_64_start_kernel+0x77/0x7b
[ 48.656378][ T7743] secondary_startup_64+0xa4/0xb0
[ 48.663376][ T7743] INITIAL USE at:
[ 48.667426][ T7743] lock_acquire+0x16f/0x3f0
[ 48.673819][ T7743] _raw_spin_lock_irq+0x60/0x80
[ 48.680641][ T7743] io_submit_one+0xe0c/0x1cf0
[ 48.687205][ T7743] __x64_sys_io_submit+0x1bd/0x580
[ 48.694203][ T7743] do_syscall_64+0x103/0x610
[ 48.700697][ T7743] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 48.708470][ T7743] }
[ 48.711128][ T7743] ... key at: [<ffffffff8a5f60a0>] __key.52784+0x0/0x40
[ 48.718727][ T7743] ... acquired at:
[ 48.722686][ T7743] lock_acquire+0x16f/0x3f0
[ 48.727340][ T7743] _raw_spin_lock+0x2f/0x40
[ 48.731997][ T7743] io_submit_one+0xe35/0x1cf0
[ 48.736848][ T7743] __x64_sys_io_submit+0x1bd/0x580
[ 48.742110][ T7743] do_syscall_64+0x103/0x610
[ 48.746972][ T7743] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 48.753007][ T7743]
[ 48.755307][ T7743] -> (&ctx->fd_wqh){....} {
[ 48.759875][ T7743] INITIAL USE at:
[ 48.763833][ T7743] lock_acquire+0x16f/0x3f0
[ 48.770046][ T7743] _raw_spin_lock_irq+0x60/0x80
[ 48.776611][ T7743] userfaultfd_read+0x27a/0x1940
[ 48.783291][ T7743] do_iter_read+0x4a9/0x660
[ 48.789511][ T7743] vfs_readv+0xf0/0x160
[ 48.795406][ T7743] do_readv+0xf6/0x290
[ 48.801190][ T7743] __x64_sys_readv+0x75/0xb0
[ 48.807492][ T7743] do_syscall_64+0x103/0x610
[ 48.813800][ T7743] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 48.821398][ T7743] }
[ 48.823970][ T7743] ... key at: [<ffffffff8a5f5e20>] __key.45593+0x0/0x40
[ 48.831479][ T7743] ... acquired at:
[ 48.835351][ T7743] lock_acquire+0x16f/0x3f0
[ 48.840023][ T7743] _raw_spin_lock+0x2f/0x40
[ 48.844676][ T7743] userfaultfd_read+0x540/0x1940
[ 48.849763][ T7743] do_iter_read+0x4a9/0x660
[ 48.854414][ T7743] vfs_readv+0xf0/0x160
[ 48.858747][ T7743] do_readv+0xf6/0x290
[ 48.862991][ T7743] __x64_sys_readv+0x75/0xb0
[ 48.867743][ T7743] do_syscall_64+0x103/0x610
[ 48.872497][ T7743] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 48.878534][ T7743]
[ 48.880835][ T7743] -> (&ctx->fault_pending_wqh){+.+.} {
[ 48.886263][ T7743] HARDIRQ-ON-W at:
[ 48.890224][ T7743] lock_acquire+0x16f/0x3f0
[ 48.896354][ T7743] _raw_spin_lock+0x2f/0x40
[ 48.902482][ T7743] userfaultfd_release+0x48e/0x6d0
[ 48.909232][ T7743] __fput+0x2e5/0x8d0
[ 48.914842][ T7743] ____fput+0x16/0x20
[ 48.920453][ T7743] task_work_run+0x14a/0x1c0
[ 48.926664][ T7743] do_exit+0x90a/0x2fa0
[ 48.932463][ T7743] do_group_exit+0x135/0x370
[ 48.938679][ T7743] get_signal+0x399/0x1d50
[ 48.944739][ T7743] do_signal+0x87/0x1940
[ 48.950625][ T7743] exit_to_usermode_loop+0x244/0x2c0
[ 48.957537][ T7743] do_syscall_64+0x52d/0x610
[ 48.963766][ T7743] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 48.971286][ T7743] SOFTIRQ-ON-W at:
[ 48.975248][ T7743] lock_acquire+0x16f/0x3f0
[ 48.981373][ T7743] _raw_spin_lock+0x2f/0x40
[ 48.987523][ T7743] userfaultfd_release+0x48e/0x6d0
[ 48.994262][ T7743] __fput+0x2e5/0x8d0
[ 48.999864][ T7743] ____fput+0x16/0x20
[ 49.005473][ T7743] task_work_run+0x14a/0x1c0
[ 49.011688][ T7743] do_exit+0x90a/0x2fa0
[ 49.017471][ T7743] do_group_exit+0x135/0x370
[ 49.023686][ T7743] get_signal+0x399/0x1d50
[ 49.029726][ T7743] do_signal+0x87/0x1940
[ 49.035596][ T7743] exit_to_usermode_loop+0x244/0x2c0
[ 49.042503][ T7743] do_syscall_64+0x52d/0x610
[ 49.048721][ T7743] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 49.056236][ T7743] INITIAL USE at:
[ 49.060127][ T7743] lock_acquire+0x16f/0x3f0
[ 49.066184][ T7743] _raw_spin_lock+0x2f/0x40
[ 49.072228][ T7743] userfaultfd_read+0x540/0x1940
[ 49.078722][ T7743] do_iter_read+0x4a9/0x660
[ 49.084768][ T7743] vfs_readv+0xf0/0x160
[ 49.090462][ T7743] do_readv+0xf6/0x290
[ 49.096069][ T7743] __x64_sys_readv+0x75/0xb0
[ 49.102196][ T7743] do_syscall_64+0x103/0x610
[ 49.108321][ T7743] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 49.115746][ T7743] }
[ 49.118248][ T7743] ... key at: [<ffffffff8a5f5ee0>] __key.45590+0x0/0x40
[ 49.125668][ T7743] ... acquired at:
[ 49.129448][ T7743] mark_lock+0x427/0x1380
[ 49.133929][ T7743] __lock_acquire+0x1317/0x3fb0
[ 49.138926][ T7743] lock_acquire+0x16f/0x3f0
[ 49.143593][ T7743] _raw_spin_lock+0x2f/0x40
[ 49.148252][ T7743] userfaultfd_release+0x48e/0x6d0
[ 49.153512][ T7743] __fput+0x2e5/0x8d0
[ 49.157638][ T7743] ____fput+0x16/0x20
[ 49.161789][ T7743] task_work_run+0x14a/0x1c0
[ 49.166525][ T7743] do_exit+0x90a/0x2fa0
[ 49.170823][ T7743] do_group_exit+0x135/0x370
[ 49.175558][ T7743] get_signal+0x399/0x1d50
[ 49.180117][ T7743] do_signal+0x87/0x1940
[ 49.184505][ T7743] exit_to_usermode_loop+0x244/0x2c0
[ 49.189967][ T7743] do_syscall_64+0x52d/0x610
[ 49.194707][ T7743] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 49.200739][ T7743]
[ 49.203036][ T7743]
[ 49.203036][ T7743] stack backtrace:
[ 49.208904][ T7743] CPU: 0 PID: 7743 Comm: syz-executor687 Not tainted 5.1.0-rc2-next-20190328 #13
[ 49.217980][ T7743] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 49.228008][ T7743] Call Trace:
[ 49.231276][ T7743] dump_stack+0x172/0x1f0
[ 49.235602][ T7743] print_irq_inversion_bug.part.0+0x2c0/0x2cd
[ 49.241657][ T7743] check_usage_backwards.cold+0x1d/0x26
[ 49.247175][ T7743] ? print_shortest_lock_dependencies+0x90/0x90
[ 49.253392][ T7743] ? save_stack_trace+0x1a/0x20
[ 49.258235][ T7743] mark_lock+0x427/0x1380
[ 49.262556][ T7743] ? print_shortest_lock_dependencies+0x90/0x90
[ 49.268786][ T7743] __lock_acquire+0x1317/0x3fb0
[ 49.273613][ T7743] ? trace_hardirqs_off+0x62/0x220
[ 49.278700][ T7743] ? kasan_check_read+0x11/0x20
[ 49.283526][ T7743] ? mark_held_locks+0xf0/0xf0
[ 49.288285][ T7743] ? save_stack+0xa9/0xd0
[ 49.292590][ T7743] ? save_stack+0x45/0xd0
[ 49.302368][ T7743] ? __kasan_slab_free+0x102/0x150
[ 49.307456][ T7743] ? kasan_slab_free+0xe/0x10
[ 49.312116][ T7743] ? kmem_cache_free+0x86/0x260
[ 49.316940][ T7743] ? free_fs_struct+0x4f/0x70
[ 49.321593][ T7743] ? exit_fs+0xf0/0x130
[ 49.325722][ T7743] lock_acquire+0x16f/0x3f0
[ 49.330205][ T7743] ? userfaultfd_release+0x48e/0x6d0
[ 49.335470][ T7743] _raw_spin_lock+0x2f/0x40
[ 49.340009][ T7743] ? userfaultfd_release+0x48e/0x6d0
[ 49.345266][ T7743] userfaultfd_release+0x48e/0x6d0
[ 49.350442][ T7743] ? userfaultfd_wake_function+0x2f0/0x2f0
[ 49.356230][ T7743] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[ 49.362449][ T7743] ? ima_file_free+0xc9/0x4a0
[ 49.367102][ T7743] ? __might_sleep+0x95/0x190
[ 49.371751][ T7743] ? userfaultfd_wake_function+0x2f0/0x2f0
[ 49.377531][ T7743] __fput+0x2e5/0x8d0
[ 49.381488][ T7743] ____fput+0x16/0x20
[ 49.385449][ T7743] task_work_run+0x14a/0x1c0
[ 49.390016][ T7743] do_exit+0x90a/0x2fa0
[ 49.394150][ T7743] ? get_signal+0x331/0x1d50
[ 49.398911][ T7743] ? mm_update_next_owner+0x640/0x640
[ 49.404262][ T7743] ? kasan_check_write+0x14/0x20
[ 49.409181][ T7743] ? _raw_spin_unlock_irq+0x28/0x90
[ 49.414373][ T7743] ? get_signal+0x331/0x1d50
[ 49.418936][ T7743] ? _raw_spin_unlock_irq+0x28/0x90
[ 49.424111][ T7743] do_group_exit+0x135/0x370
[ 49.428678][ T7743] get_signal+0x399/0x1d50
[ 49.433071][ T7743] ? __x64_sys_io_submit+0x31f/0x580
[ 49.438338][ T7743] do_signal+0x87/0x1940
[ 49.442556][ T7743] ? lock_downgrade+0x880/0x880
[ 49.447381][ T7743] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 49.453601][ T7743] ? kasan_check_read+0x11/0x20
[ 49.458430][ T7743] ? setup_sigcontext+0x7d0/0x7d0
[ 49.463455][ T7743] ? exit_to_usermode_loop+0x43/0x2c0
[ 49.468825][ T7743] ? do_syscall_64+0x52d/0x610
[ 49.473567][ T7743] ? exit_to_usermode_loop+0x43/0x2c0
[ 49.478923][ T7743] ? lockdep_hardirqs_on+0x418/0x5d0
[ 49.484201][ T7743] ? trace_hardirqs_on+0x67/0x230
[ 49.489203][ T7743] exit_to_usermode_loop+0x244/0x2c0
[ 49.494467][ T7743] do_syscall_64+0x52d/0x610
[ 49.499034][ T7743] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 49.504898][ T7743] RIP: 0033:0x4458f9
[ 49.508794][ T7743] Code: Bad RIP value.
[ 49.512836][ T7743] RSP: 002b:00007fe45e690db8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[ 49.521222][ T7743] RAX: fffffffffffffe00 RBX: 00000000006dac58 RCX: 00000000004458f9
[ 49.529173][ T7743] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dac58
[ 49.537123][ T7743] RBP: 00000000006dac50 R08: 0000000000000000 R09: 0000000000000000
[ 49.545076][ T7743] R10: 0000000000000000 R11: 00