[ 61.145659][ T26] audit: type=1800 audit(1560749103.886:25): pid=8937 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 61.186533][ T26] audit: type=1800 audit(1560749103.886:26): pid=8937 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 61.222068][ T26] audit: type=1800 audit(1560749103.886:27): pid=8937 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] startpar: service(s) returned failure: rsyslog ...[?25l[?1c7[FAIL8[?25h[?0c failed! Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.6' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 73.378291][ T9113] [ 73.381758][ T9113] ======================================================== [ 73.389824][ T9113] WARNING: possible irq lock inversion dependency detected [ 73.397023][ T9113] 5.2.0-rc4+ #34 Not tainted [ 73.402012][ T9113] -------------------------------------------------------- [ 73.409317][ T9113] syz-executor020/9113 just changed the state of lock: [ 73.416813][ T9113] 0000000053503226 (&ctx->fault_pending_wqh){+.+.}, at: userfaultfd_release+0x4ca/0x710 [ 73.426966][ T9113] but this lock was taken by another, SOFTIRQ-safe lock in the past: [ 73.435900][ T9113] (&(&ctx->ctx_lock)->rlock){..-.} [ 73.435909][ T9113] [ 73.435909][ T9113] [ 73.435909][ T9113] and interrupts could create inverse lock ordering between them. [ 73.435909][ T9113] [ 73.456921][ T9113] [ 73.456921][ T9113] other info that might help us debug this: [ 73.465066][ T9113] Chain exists of: [ 73.465066][ T9113] &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh [ 73.465066][ T9113] [ 73.480194][ T9113] Possible interrupt unsafe locking scenario: [ 73.480194][ T9113] [ 73.488644][ T9113] CPU0 CPU1 [ 73.494607][ T9113] ---- ---- [ 73.500408][ T9113] lock(&ctx->fault_pending_wqh); [ 73.505521][ T9113] local_irq_disable(); [ 73.512393][ T9113] lock(&(&ctx->ctx_lock)->rlock); [ 73.520098][ T9113] lock(&ctx->fd_wqh); [ 73.526760][ T9113] [ 73.530325][ T9113] lock(&(&ctx->ctx_lock)->rlock); [ 73.535682][ T9113] [ 73.535682][ T9113] *** DEADLOCK *** [ 73.535682][ T9113] [ 73.544084][ T9113] no locks held by syz-executor020/9113. [ 73.549700][ T9113] [ 73.549700][ T9113] the shortest dependencies between 2nd lock and 1st lock: [ 73.559061][ T9113] -> (&(&ctx->ctx_lock)->rlock){..-.} { [ 73.564897][ T9113] IN-SOFTIRQ-W at: [ 73.569053][ T9113] lock_acquire+0x16f/0x3f0 [ 73.575948][ T9113] _raw_spin_lock_irq+0x60/0x80 [ 73.582804][ T9113] free_ioctx_users+0x2d/0x490 [ 73.589586][ T9113] percpu_ref_switch_to_atomic_rcu+0x407/0x540 [ 73.597758][ T9113] rcu_core+0xba5/0x1500 [ 73.604663][ T9113] __do_softirq+0x25c/0x94c [ 73.611514][ T9113] irq_exit+0x180/0x1d0 [ 73.617667][ T9113] smp_apic_timer_interrupt+0x13b/0x550 [ 73.625232][ T9113] apic_timer_interrupt+0xf/0x20 [ 73.634929][ T9113] native_safe_halt+0xe/0x10 [ 73.641628][ T9113] arch_cpu_idle+0xa/0x10 [ 73.647949][ T9113] default_idle_call+0x36/0x90 [ 73.654790][ T9113] do_idle+0x377/0x560 [ 73.662591][ T9113] cpu_startup_entry+0x1b/0x20 [ 73.669899][ T9113] rest_init+0x245/0x37b [ 73.676522][ T9113] arch_call_rest_init+0xe/0x1b [ 73.683396][ T9113] start_kernel+0x854/0x893 [ 73.690678][ T9113] x86_64_start_reservations+0x29/0x2b [ 73.699230][ T9113] x86_64_start_kernel+0x77/0x7b [ 73.706407][ T9113] secondary_startup_64+0xa4/0xb0 [ 73.713922][ T9113] INITIAL USE at: [ 73.718016][ T9113] lock_acquire+0x16f/0x3f0 [ 73.725224][ T9113] _raw_spin_lock_irq+0x60/0x80 [ 73.732618][ T9113] io_submit_one+0xeb5/0x2ef0 [ 73.739299][ T9113] __x64_sys_io_submit+0x1bd/0x570 [ 73.746896][ T9113] do_syscall_64+0xfd/0x680 [ 73.753305][ T9113] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 73.761102][ T9113] } [ 73.764207][ T9113] ... key at: [] __key.53428+0x0/0x40 [ 73.772776][ T9113] ... acquired at: [ 73.777053][ T9113] _raw_spin_lock+0x2f/0x40 [ 73.781724][ T9113] io_submit_one+0xefa/0x2ef0 [ 73.786575][ T9113] __x64_sys_io_submit+0x1bd/0x570 [ 73.791964][ T9113] do_syscall_64+0xfd/0x680 [ 73.796742][ T9113] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 73.802822][ T9113] [ 73.805160][ T9113] -> (&ctx->fd_wqh){....} { [ 73.809738][ T9113] INITIAL USE at: [ 73.813745][ T9113] lock_acquire+0x16f/0x3f0 [ 73.820001][ T9113] _raw_spin_lock_irq+0x60/0x80 [ 73.826583][ T9113] userfaultfd_read+0x27a/0x1940 [ 73.833253][ T9113] do_iter_read+0x4a4/0x660 [ 73.839495][ T9113] vfs_readv+0xf0/0x160 [ 73.845465][ T9113] do_readv+0x15b/0x330 [ 73.851381][ T9113] __x64_sys_readv+0x75/0xb0 [ 73.857849][ T9113] do_syscall_64+0xfd/0x680 [ 73.864087][ T9113] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 73.871699][ T9113] } [ 73.874369][ T9113] ... key at: [] __key.46104+0x0/0x40 [ 73.884468][ T9113] ... acquired at: [ 73.888362][ T9113] _raw_spin_lock+0x2f/0x40 [ 73.893060][ T9113] userfaultfd_read+0x540/0x1940 [ 73.898249][ T9113] do_iter_read+0x4a4/0x660 [ 73.903115][ T9113] vfs_readv+0xf0/0x160 [ 73.910071][ T9113] do_readv+0x15b/0x330 [ 73.914663][ T9113] __x64_sys_readv+0x75/0xb0 [ 73.919519][ T9113] do_syscall_64+0xfd/0x680 [ 73.924965][ T9113] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 73.931701][ T9113] [ 73.934049][ T9113] -> (&ctx->fault_pending_wqh){+.+.} { [ 73.939513][ T9113] HARDIRQ-ON-W at: [ 73.943531][ T9113] lock_acquire+0x16f/0x3f0 [ 73.949970][ T9113] _raw_spin_lock+0x2f/0x40 [ 73.956125][ T9113] userfaultfd_release+0x4ca/0x710 [ 73.962886][ T9113] __fput+0x2ff/0x890 [ 73.968550][ T9113] ____fput+0x16/0x20 [ 73.974173][ T9113] task_work_run+0x145/0x1c0 [ 73.980510][ T9113] do_exit+0x90a/0x2fa0 [ 73.986306][ T9113] do_group_exit+0x135/0x370 [ 73.992556][ T9113] get_signal+0x471/0x24b0 [ 74.009628][ T9113] do_signal+0x87/0x1900 [ 74.015528][ T9113] exit_to_usermode_loop+0x244/0x2c0 [ 74.022459][ T9113] do_syscall_64+0x58e/0x680 [ 74.028806][ T9113] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 74.036344][ T9113] SOFTIRQ-ON-W at: [ 74.040345][ T9113] lock_acquire+0x16f/0x3f0 [ 74.046527][ T9113] _raw_spin_lock+0x2f/0x40 [ 74.061291][ T9113] userfaultfd_release+0x4ca/0x710 [ 74.068050][ T9113] __fput+0x2ff/0x890 [ 74.074264][ T9113] ____fput+0x16/0x20 [ 74.079885][ T9113] task_work_run+0x145/0x1c0 [ 74.086591][ T9113] do_exit+0x90a/0x2fa0 [ 74.092526][ T9113] do_group_exit+0x135/0x370 [ 74.098775][ T9113] get_signal+0x471/0x24b0 [ 74.104834][ T9113] do_signal+0x87/0x1900 [ 74.111452][ T9113] exit_to_usermode_loop+0x244/0x2c0 [ 74.118512][ T9113] do_syscall_64+0x58e/0x680 [ 74.126063][ T9113] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 74.133592][ T9113] INITIAL USE at: [ 74.137479][ T9113] lock_acquire+0x16f/0x3f0 [ 74.143844][ T9113] _raw_spin_lock+0x2f/0x40 [ 74.150382][ T9113] userfaultfd_read+0x540/0x1940 [ 74.156871][ T9113] do_iter_read+0x4a4/0x660 [ 74.167065][ T9113] vfs_readv+0xf0/0x160 [ 74.172776][ T9113] do_readv+0x15b/0x330 [ 74.178495][ T9113] __x64_sys_readv+0x75/0xb0 [ 74.184639][ T9113] do_syscall_64+0xfd/0x680 [ 74.190702][ T9113] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 74.198145][ T9113] } [ 74.200922][ T9113] ... key at: [] __key.46101+0x0/0x40 [ 74.208358][ T9113] ... acquired at: [ 74.212166][ T9113] mark_lock+0x420/0x1370 [ 74.216651][ T9113] __lock_acquire+0x12df/0x5490 [ 74.221654][ T9113] lock_acquire+0x16f/0x3f0 [ 74.226315][ T9113] _raw_spin_lock+0x2f/0x40 [ 74.230993][ T9113] userfaultfd_release+0x4ca/0x710 [ 74.236285][ T9113] __fput+0x2ff/0x890 [ 74.240422][ T9113] ____fput+0x16/0x20 [ 74.244558][ T9113] task_work_run+0x145/0x1c0 [ 74.249300][ T9113] do_exit+0x90a/0x2fa0 [ 74.253613][ T9113] do_group_exit+0x135/0x370 [ 74.258368][ T9113] get_signal+0x471/0x24b0 [ 74.265092][ T9113] do_signal+0x87/0x1900 [ 74.269519][ T9113] exit_to_usermode_loop+0x244/0x2c0 [ 74.275212][ T9113] do_syscall_64+0x58e/0x680 [ 74.280100][ T9113] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 74.286145][ T9113] [ 74.288456][ T9113] [ 74.288456][ T9113] stack backtrace: [ 74.294365][ T9113] CPU: 0 PID: 9113 Comm: syz-executor020 Not tainted 5.2.0-rc4+ #34 [ 74.302345][ T9113] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 74.312764][ T9113] Call Trace: [ 74.316046][ T9113] dump_stack+0x172/0x1f0 [ 74.320394][ T9113] print_irq_inversion_bug.part.0+0x2c5/0x2d2 [ 74.326466][ T9113] check_usage_backwards.cold+0x1d/0x26 [ 74.332052][ T9113] ? print_shortest_lock_dependencies+0x90/0x90 [ 74.338375][ T9113] ? stack_trace_save+0xac/0xe0 [ 74.343222][ T9113] ? stack_trace_consume_entry+0x190/0x190 [ 74.349015][ T9113] ? kasan_check_write+0x14/0x20 [ 74.353935][ T9113] ? graph_lock+0x7b/0x200 [ 74.358340][ T9113] ? __lockdep_reset_lock+0x450/0x450 [ 74.363702][ T9113] mark_lock+0x420/0x1370 [ 74.368018][ T9113] ? print_shortest_lock_dependencies+0x90/0x90 [ 74.374338][ T9113] __lock_acquire+0x12df/0x5490 [ 74.379181][ T9113] ? kasan_check_write+0x14/0x20 [ 74.384112][ T9113] ? mark_held_locks+0xf0/0xf0 [ 74.388868][ T9113] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 74.394691][ T9113] ? stack_depot_save+0x25a/0x450 [ 74.399714][ T9113] lock_acquire+0x16f/0x3f0 [ 74.404221][ T9113] ? userfaultfd_release+0x4ca/0x710 [ 74.409503][ T9113] _raw_spin_lock+0x2f/0x40 [ 74.414006][ T9113] ? userfaultfd_release+0x4ca/0x710 [ 74.419298][ T9113] userfaultfd_release+0x4ca/0x710 [ 74.424408][ T9113] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 74.430212][ T9113] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 74.436458][ T9113] ? ima_file_free+0xc9/0x4a0 [ 74.441150][ T9113] __fput+0x2ff/0x890 [ 74.445131][ T9113] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 74.450929][ T9113] ____fput+0x16/0x20 [ 74.454921][ T9113] task_work_run+0x145/0x1c0 [ 74.459507][ T9113] do_exit+0x90a/0x2fa0 [ 74.463651][ T9113] ? get_signal+0x387/0x24b0 [ 74.468236][ T9113] ? mm_update_next_owner+0x640/0x640 [ 74.473607][ T9113] ? kasan_check_write+0x14/0x20 [ 74.485099][ T9113] ? _raw_spin_unlock_irq+0x28/0x90 [ 74.490295][ T9113] ? get_signal+0x387/0x24b0 [ 74.494881][ T9113] ? _raw_spin_unlock_irq+0x28/0x90 [ 74.500073][ T9113] do_group_exit+0x135/0x370 [ 74.504686][ T9113] get_signal+0x471/0x24b0 [ 74.509099][ T9113] ? exit_robust_list+0x2c0/0x2c0 [ 74.514117][ T9113] do_signal+0x87/0x1900 [ 74.518507][ T9113] ? lock_downgrade+0x880/0x880 [ 74.523357][ T9113] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 74.529595][ T9113] ? kasan_check_read+0x11/0x20 [ 74.534439][ T9113] ? setup_sigcontext+0x7d0/0x7d0 [ 74.539460][ T9113] ? exit_to_usermode_loop+0x43/0x2c0 [ 74.544829][ T9113] ? do_syscall_64+0x58e/0x680 [ 74.549595][ T9113] ? exit_to_usermode_loop+0x43/0x2c0 [ 74.554961][ T9113] ? lockdep_hardirqs_on+0x418/0x5d0 [ 74.560242][ T9113] ? trace_hardirqs_on+0x67/0x220 [ 74.565272][ T9113] exit_to_usermode_loop+0x244/0x2c0 [ 74.570551][ T9113] do_syscall_64+0x58e/0x680 [ 74.575136][ T9113] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 74.581024][ T9113] RIP: 0033:0x445919 [ 74.584918][ T9113] Code: Bad RIP value. [ 74.588975][ T9113] RSP: 002b:00007fe924bcedb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 74.597377][ T9113] RAX: fffffffffffffe00 RBX: 00000000006dac58 RCX: 0000000000445919 [ 74.605343][ T9113] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dac58 [ 74.613314][ T9113] RBP: 00000000006dac50 R08: 0000000000000000 R09: 0000000000000000 [ 74.621517][ T9113] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac5c [ 74.629488][ T9113] R13: 00007ffe44a1301f R14: 0000