[ 35.893151][ T26] audit: type=1800 audit(1554516215.188:27): pid=7447 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [ 35.924348][ T26] audit: type=1800 audit(1554516215.198:28): pid=7447 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 36.882727][ T26] audit: type=1800 audit(1554516216.228:29): pid=7447 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 36.903819][ T26] audit: type=1800 audit(1554516216.228:30): pid=7447 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.37' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 67.941496][ T7602] [ 67.944025][ T7602] ======================================================== [ 67.951482][ T7602] WARNING: possible irq lock inversion dependency detected [ 67.958769][ T7602] 5.1.0-rc3+ #55 Not tainted [ 67.963343][ T7602] -------------------------------------------------------- [ 67.970996][ T7602] syz-executor744/7602 just changed the state of lock: [ 67.978152][ T7602] 00000000de0965c9 (&ctx->fault_pending_wqh){+.+.}, at: userfaultfd_release+0x48e/0x6d0 [ 67.988446][ T7602] but this lock was taken by another, SOFTIRQ-safe lock in the past: [ 67.996699][ T7602] (&(&ctx->ctx_lock)->rlock){..-.} [ 67.996709][ T7602] [ 67.996709][ T7602] [ 67.996709][ T7602] and interrupts could create inverse lock ordering between them. [ 67.996709][ T7602] [ 68.016712][ T7602] [ 68.016712][ T7602] other info that might help us debug this: [ 68.024860][ T7602] Chain exists of: [ 68.024860][ T7602] &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh [ 68.024860][ T7602] [ 68.039566][ T7602] Possible interrupt unsafe locking scenario: [ 68.039566][ T7602] [ 68.048135][ T7602] CPU0 CPU1 [ 68.053686][ T7602] ---- ---- [ 68.059278][ T7602] lock(&ctx->fault_pending_wqh); [ 68.065155][ T7602] local_irq_disable(); [ 68.072313][ T7602] lock(&(&ctx->ctx_lock)->rlock); [ 68.080025][ T7602] lock(&ctx->fd_wqh); [ 68.087131][ T7602] [ 68.090592][ T7602] lock(&(&ctx->ctx_lock)->rlock); [ 68.096041][ T7602] [ 68.096041][ T7602] *** DEADLOCK *** [ 68.096041][ T7602] [ 68.104328][ T7602] no locks held by syz-executor744/7602. [ 68.110202][ T7602] [ 68.110202][ T7602] the shortest dependencies between 2nd lock and 1st lock: [ 68.119746][ T7602] -> (&(&ctx->ctx_lock)->rlock){..-.} { [ 68.125621][ T7602] IN-SOFTIRQ-W at: [ 68.129785][ T7602] lock_acquire+0x16f/0x3f0 [ 68.136303][ T7602] _raw_spin_lock_irq+0x60/0x80 [ 68.143582][ T7602] free_ioctx_users+0x2d/0x4a0 [ 68.150511][ T7602] percpu_ref_switch_to_atomic_rcu+0x3e7/0x520 [ 68.158820][ T7602] rcu_core+0x928/0x1390 [ 68.165314][ T7602] __do_softirq+0x266/0x95a [ 68.172633][ T7602] irq_exit+0x180/0x1d0 [ 68.179267][ T7602] smp_apic_timer_interrupt+0x14a/0x570 [ 68.186863][ T7602] apic_timer_interrupt+0xf/0x20 [ 68.193961][ T7602] native_safe_halt+0x2/0x10 [ 68.200693][ T7602] arch_cpu_idle+0x10/0x20 [ 68.207240][ T7602] default_idle_call+0x36/0x90 [ 68.214010][ T7602] do_idle+0x386/0x570 [ 68.220225][ T7602] cpu_startup_entry+0x1b/0x20 [ 68.227496][ T7602] rest_init+0x245/0x37b [ 68.233866][ T7602] arch_call_rest_init+0xe/0x1b [ 68.240821][ T7602] start_kernel+0x816/0x84f [ 68.247330][ T7602] x86_64_start_reservations+0x29/0x2b [ 68.255149][ T7602] x86_64_start_kernel+0x77/0x7b [ 68.262230][ T7602] secondary_startup_64+0xa4/0xb0 [ 68.269342][ T7602] INITIAL USE at: [ 68.273504][ T7602] lock_acquire+0x16f/0x3f0 [ 68.280121][ T7602] _raw_spin_lock_irq+0x60/0x80 [ 68.287133][ T7602] io_submit_one+0xaec/0x2f90 [ 68.293907][ T7602] __x64_sys_io_submit+0x1bd/0x580 [ 68.301233][ T7602] do_syscall_64+0x103/0x610 [ 68.308073][ T7602] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 68.316124][ T7602] } [ 68.319040][ T7602] ... key at: [] __key.52649+0x0/0x40 [ 68.326671][ T7602] ... acquired at: [ 68.330659][ T7602] lock_acquire+0x16f/0x3f0 [ 68.335775][ T7602] _raw_spin_lock+0x2f/0x40 [ 68.340459][ T7602] io_submit_one+0xb31/0x2f90 [ 68.345540][ T7602] __x64_sys_io_submit+0x1bd/0x580 [ 68.351063][ T7602] do_syscall_64+0x103/0x610 [ 68.355840][ T7602] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 68.362121][ T7602] [ 68.364605][ T7602] -> (&ctx->fd_wqh){....} { [ 68.369416][ T7602] INITIAL USE at: [ 68.373786][ T7602] lock_acquire+0x16f/0x3f0 [ 68.380232][ T7602] _raw_spin_lock_irqsave+0x95/0xcd [ 68.387268][ T7602] add_wait_queue+0x4c/0x170 [ 68.393604][ T7602] aio_poll_queue_proc+0x9e/0x110 [ 68.400669][ T7602] userfaultfd_poll+0x93/0x220 [ 68.407287][ T7602] io_submit_one+0xa8a/0x2f90 [ 68.414015][ T7602] __x64_sys_io_submit+0x1bd/0x580 [ 68.421304][ T7602] do_syscall_64+0x103/0x610 [ 68.427813][ T7602] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 68.435533][ T7602] } [ 68.438207][ T7602] ... key at: [] __key.45459+0x0/0x40 [ 68.445879][ T7602] ... acquired at: [ 68.449767][ T7602] lock_acquire+0x16f/0x3f0 [ 68.454581][ T7602] _raw_spin_lock+0x2f/0x40 [ 68.459258][ T7602] userfaultfd_read+0x540/0x1940 [ 68.464515][ T7602] __vfs_read+0x8d/0x110 [ 68.468938][ T7602] vfs_read+0x194/0x3e0 [ 68.473262][ T7602] ksys_read+0xea/0x1f0 [ 68.477586][ T7602] __x64_sys_read+0x73/0xb0 [ 68.482267][ T7602] do_syscall_64+0x103/0x610 [ 68.487138][ T7602] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 68.493513][ T7602] [ 68.495838][ T7602] -> (&ctx->fault_pending_wqh){+.+.} { [ 68.501501][ T7602] HARDIRQ-ON-W at: [ 68.505499][ T7602] lock_acquire+0x16f/0x3f0 [ 68.511653][ T7602] _raw_spin_lock+0x2f/0x40 [ 68.518032][ T7602] userfaultfd_release+0x48e/0x6d0 [ 68.525154][ T7602] __fput+0x2e5/0x8d0 [ 68.531043][ T7602] ____fput+0x16/0x20 [ 68.536950][ T7602] task_work_run+0x14a/0x1c0 [ 68.543385][ T7602] do_exit+0x90a/0x2fa0 [ 68.549294][ T7602] do_group_exit+0x135/0x370 [ 68.555711][ T7602] get_signal+0x399/0x1d50 [ 68.562345][ T7602] do_signal+0x87/0x1940 [ 68.568254][ T7602] exit_to_usermode_loop+0x244/0x2c0 [ 68.575567][ T7602] do_syscall_64+0x52d/0x610 [ 68.582002][ T7602] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 68.589994][ T7602] SOFTIRQ-ON-W at: [ 68.594097][ T7602] lock_acquire+0x16f/0x3f0 [ 68.600387][ T7602] _raw_spin_lock+0x2f/0x40 [ 68.606522][ T7602] userfaultfd_release+0x48e/0x6d0 [ 68.613454][ T7602] __fput+0x2e5/0x8d0 [ 68.619403][ T7602] ____fput+0x16/0x20 [ 68.625137][ T7602] task_work_run+0x14a/0x1c0 [ 68.631384][ T7602] do_exit+0x90a/0x2fa0 [ 68.637445][ T7602] do_group_exit+0x135/0x370 [ 68.643910][ T7602] get_signal+0x399/0x1d50 [ 68.650422][ T7602] do_signal+0x87/0x1940 [ 68.656591][ T7602] exit_to_usermode_loop+0x244/0x2c0 [ 68.663783][ T7602] do_syscall_64+0x52d/0x610 [ 68.670299][ T7602] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 68.677991][ T7602] INITIAL USE at: [ 68.682040][ T7602] lock_acquire+0x16f/0x3f0 [ 68.688343][ T7602] _raw_spin_lock+0x2f/0x40 [ 68.694421][ T7602] userfaultfd_read+0x540/0x1940 [ 68.701090][ T7602] __vfs_read+0x8d/0x110 [ 68.707240][ T7602] vfs_read+0x194/0x3e0 [ 68.712972][ T7602] ksys_read+0xea/0x1f0 [ 68.719322][ T7602] __x64_sys_read+0x73/0xb0 [ 68.725526][ T7602] do_syscall_64+0x103/0x610 [ 68.731955][ T7602] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 68.739401][ T7602] } [ 68.741981][ T7602] ... key at: [] __key.45456+0x0/0x40 [ 68.749513][ T7602] ... acquired at: [ 68.753309][ T7602] mark_lock+0x427/0x1380 [ 68.757890][ T7602] __lock_acquire+0x1317/0x3fb0 [ 68.762900][ T7602] lock_acquire+0x16f/0x3f0 [ 68.767721][ T7602] _raw_spin_lock+0x2f/0x40 [ 68.773566][ T7602] userfaultfd_release+0x48e/0x6d0 [ 68.779093][ T7602] __fput+0x2e5/0x8d0 [ 68.783494][ T7602] ____fput+0x16/0x20 [ 68.788052][ T7602] task_work_run+0x14a/0x1c0 [ 68.793078][ T7602] do_exit+0x90a/0x2fa0 [ 68.797609][ T7602] do_group_exit+0x135/0x370 [ 68.803460][ T7602] get_signal+0x399/0x1d50 [ 68.808062][ T7602] do_signal+0x87/0x1940 [ 68.812557][ T7602] exit_to_usermode_loop+0x244/0x2c0 [ 68.818084][ T7602] do_syscall_64+0x52d/0x610 [ 68.822862][ T7602] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 68.829170][ T7602] [ 68.831803][ T7602] [ 68.831803][ T7602] stack backtrace: [ 68.838008][ T7602] CPU: 0 PID: 7602 Comm: syz-executor744 Not tainted 5.1.0-rc3+ #55 [ 68.846122][ T7602] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 68.856259][ T7602] Call Trace: [ 68.859904][ T7602] dump_stack+0x172/0x1f0 [ 68.864496][ T7602] print_irq_inversion_bug.part.0+0x2c0/0x2cd [ 68.870766][ T7602] check_usage_backwards.cold+0x1d/0x26 [ 68.876312][ T7602] ? print_shortest_lock_dependencies+0x90/0x90 [ 68.882850][ T7602] ? save_stack_trace+0x1a/0x20 [ 68.888096][ T7602] ? depot_save_stack+0x1de/0x460 [ 68.893265][ T7602] mark_lock+0x427/0x1380 [ 68.897622][ T7602] ? print_shortest_lock_dependencies+0x90/0x90 [ 68.903864][ T7602] __lock_acquire+0x1317/0x3fb0 [ 68.908905][ T7602] ? trace_hardirqs_off+0x62/0x220 [ 68.914108][ T7602] ? kasan_check_read+0x11/0x20 [ 68.919156][ T7602] ? mark_held_locks+0xf0/0xf0 [ 68.924255][ T7602] ? save_stack+0xa9/0xd0 [ 68.928681][ T7602] ? save_stack+0x45/0xd0 [ 68.933375][ T7602] ? __kasan_slab_free+0x102/0x150 [ 68.938761][ T7602] ? kasan_slab_free+0xe/0x10 [ 68.943533][ T7602] ? kmem_cache_free+0x86/0x260 [ 68.948381][ T7602] ? free_fs_struct+0x4f/0x70 [ 68.953179][ T7602] ? exit_fs+0xf0/0x130 [ 68.957814][ T7602] lock_acquire+0x16f/0x3f0 [ 68.962626][ T7602] ? userfaultfd_release+0x48e/0x6d0 [ 68.968276][ T7602] _raw_spin_lock+0x2f/0x40 [ 68.973030][ T7602] ? userfaultfd_release+0x48e/0x6d0 [ 68.978569][ T7602] userfaultfd_release+0x48e/0x6d0 [ 68.983851][ T7602] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 68.989671][ T7602] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 68.996139][ T7602] ? ima_file_free+0xc9/0x4a0 [ 69.000937][ T7602] ? __might_sleep+0x95/0x190 [ 69.005756][ T7602] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 69.011795][ T7602] __fput+0x2e5/0x8d0 [ 69.016033][ T7602] ____fput+0x16/0x20 [ 69.020154][ T7602] task_work_run+0x14a/0x1c0 [ 69.024744][ T7602] do_exit+0x90a/0x2fa0 [ 69.028987][ T7602] ? get_signal+0x331/0x1d50 [ 69.033656][ T7602] ? mm_update_next_owner+0x640/0x640 [ 69.039520][ T7602] ? kasan_check_write+0x14/0x20 [ 69.044464][ T7602] ? _raw_spin_unlock_irq+0x28/0x90 [ 69.050067][ T7602] ? get_signal+0x331/0x1d50 [ 69.054658][ T7602] ? _raw_spin_unlock_irq+0x28/0x90 [ 69.059952][ T7602] do_group_exit+0x135/0x370 [ 69.064891][ T7602] get_signal+0x399/0x1d50 [ 69.069617][ T7602] ? fsnotify+0xbc0/0xbc0 [ 69.074492][ T7602] ? fsnotify_first_mark+0x210/0x210 [ 69.081335][ T7602] do_signal+0x87/0x1940 [ 69.086000][ T7602] ? __vfs_read+0x95/0x110 [ 69.090498][ T7602] ? userfaultfd_event_wait_completion+0xa50/0xa50 [ 69.097919][ T7602] ? setup_sigcontext+0x7d0/0x7d0 [ 69.102933][ T7602] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 69.109687][ T7602] ? vfs_read+0x15d/0x3e0 [ 69.114121][ T7602] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 69.120361][ T7602] ? ksys_read+0x166/0x1f0 [ 69.124857][ T7602] ? exit_to_usermode_loop+0x43/0x2c0 [ 69.130379][ T7602] ? do_syscall_64+0x52d/0x610 [ 69.135402][ T7602] ? exit_to_usermode_loop+0x43/0x2c0 [ 69.141103][ T7602] ? lockdep_hardirqs_on+0x418/0x5d0 [ 69.146783][ T7602] ? trace_hardirqs_on+0x67/0x230 [ 69.151884][ T7602] exit_to_usermode_loop+0x244/0x2c0 [ 69.157321][ T7602] do_syscall_64+0x52d/0x610 [ 69.162016][ T7602] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 69.168140][ T7602] RIP: 0033:0x441279 [ 69.172042][ T7602] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 executing program [ 69.192087][ T7602] RSP: 002b:00007ffcc06745d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 69.201048][ T7602] RAX: fffffffffffffe00 RBX: 0000000000000003 RCX: 0000000000441279 [ 69.209092][ T7602] RDX: 0000000000000107 RSI: 0000000020000180 RDI: 0000000000000004 [ 69.217541][ T7602] RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8 [ 69.225608][ T7602] R10: 00000000004002c8 R11: 0000000000000246 R12: 00000000004020a0 [ 69.233880][ T7602] R13: 0000000000402130 R14: 0000000000000000 R15: 0000000000000000 executing program