[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 56.282632][ T26] audit: type=1800 audit(1560771712.305:25): pid=8486 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 56.325543][ T26] audit: type=1800 audit(1560771712.315:26): pid=8486 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 56.345824][ T26] audit: type=1800 audit(1560771712.325:27): pid=8486 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.196' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 65.767103][ T8642] [ 65.769481][ T8642] ======================================================== [ 65.776665][ T8642] WARNING: possible irq lock inversion dependency detected [ 65.784009][ T8642] 5.2.0-rc4+ #34 Not tainted [ 65.788568][ T8642] -------------------------------------------------------- [ 65.795840][ T8642] syz-executor465/8642 just changed the state of lock: [ 65.802682][ T8642] 000000005d945f87 (&ctx->fault_pending_wqh){+.+.}, at: userfaultfd_release+0x4ca/0x710 [ 65.812406][ T8642] but this lock was taken by another, SOFTIRQ-safe lock in the past: [ 65.820446][ T8642] (&(&ctx->ctx_lock)->rlock){..-.} [ 65.820453][ T8642] [ 65.820453][ T8642] [ 65.820453][ T8642] and interrupts could create inverse lock ordering between them. [ 65.820453][ T8642] [ 65.840015][ T8642] [ 65.840015][ T8642] other info that might help us debug this: [ 65.848080][ T8642] Chain exists of: [ 65.848080][ T8642] &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh [ 65.848080][ T8642] [ 65.862711][ T8642] Possible interrupt unsafe locking scenario: [ 65.862711][ T8642] [ 65.871036][ T8642] CPU0 CPU1 [ 65.876384][ T8642] ---- ---- [ 65.881728][ T8642] lock(&ctx->fault_pending_wqh); [ 65.886892][ T8642] local_irq_disable(); [ 65.893655][ T8642] lock(&(&ctx->ctx_lock)->rlock); [ 65.901819][ T8642] lock(&ctx->fd_wqh); [ 65.908489][ T8642] [ 65.911929][ T8642] lock(&(&ctx->ctx_lock)->rlock); [ 65.917283][ T8642] [ 65.917283][ T8642] *** DEADLOCK *** [ 65.917283][ T8642] [ 65.925425][ T8642] no locks held by syz-executor465/8642. [ 65.931024][ T8642] [ 65.931024][ T8642] the shortest dependencies between 2nd lock and 1st lock: [ 65.940384][ T8642] -> (&(&ctx->ctx_lock)->rlock){..-.} { [ 65.946083][ T8642] IN-SOFTIRQ-W at: [ 65.950225][ T8642] lock_acquire+0x16f/0x3f0 [ 65.957068][ T8642] _raw_spin_lock_irq+0x60/0x80 [ 65.963910][ T8642] free_ioctx_users+0x2d/0x490 [ 65.970664][ T8642] percpu_ref_switch_to_atomic_rcu+0x407/0x540 [ 65.978794][ T8642] rcu_core+0xba5/0x1500 [ 65.985019][ T8642] __do_softirq+0x25c/0x94c [ 65.991509][ T8642] irq_exit+0x180/0x1d0 [ 65.997757][ T8642] smp_apic_timer_interrupt+0x13b/0x550 [ 66.005375][ T8642] apic_timer_interrupt+0xf/0x20 [ 66.012292][ T8642] native_safe_halt+0xe/0x10 [ 66.018863][ T8642] arch_cpu_idle+0xa/0x10 [ 66.025168][ T8642] default_idle_call+0x36/0x90 [ 66.031913][ T8642] do_idle+0x377/0x560 [ 66.037963][ T8642] cpu_startup_entry+0x1b/0x20 [ 66.044724][ T8642] rest_init+0x245/0x37b [ 66.051025][ T8642] arch_call_rest_init+0xe/0x1b [ 66.057967][ T8642] start_kernel+0x854/0x893 [ 66.064447][ T8642] x86_64_start_reservations+0x29/0x2b [ 66.071887][ T8642] x86_64_start_kernel+0x77/0x7b [ 66.078801][ T8642] secondary_startup_64+0xa4/0xb0 [ 66.086006][ T8642] INITIAL USE at: [ 66.090055][ T8642] lock_acquire+0x16f/0x3f0 [ 66.096444][ T8642] _raw_spin_lock_irq+0x60/0x80 [ 66.103361][ T8642] io_submit_one+0xeb5/0x2ef0 [ 66.110028][ T8642] __x64_sys_io_submit+0x1bd/0x570 [ 66.117126][ T8642] do_syscall_64+0xfd/0x680 [ 66.137171][ T8642] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 66.144948][ T8642] } [ 66.147607][ T8642] ... key at: [] __key.53428+0x0/0x40 [ 66.155311][ T8642] ... acquired at: [ 66.159271][ T8642] _raw_spin_lock+0x2f/0x40 [ 66.163922][ T8642] io_submit_one+0xefa/0x2ef0 [ 66.168795][ T8642] __x64_sys_io_submit+0x1bd/0x570 [ 66.174056][ T8642] do_syscall_64+0xfd/0x680 [ 66.178710][ T8642] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 66.184747][ T8642] [ 66.187046][ T8642] -> (&ctx->fd_wqh){....} { [ 66.191610][ T8642] INITIAL USE at: [ 66.195677][ T8642] lock_acquire+0x16f/0x3f0 [ 66.201898][ T8642] _raw_spin_lock_irq+0x60/0x80 [ 66.208464][ T8642] userfaultfd_read+0x27a/0x1940 [ 66.215123][ T8642] __vfs_read+0x8a/0x110 [ 66.221083][ T8642] vfs_read+0x194/0x3e0 [ 66.226973][ T8642] ksys_read+0x14f/0x290 [ 66.232933][ T8642] __x64_sys_read+0x73/0xb0 [ 66.239167][ T8642] do_syscall_64+0xfd/0x680 [ 66.245385][ T8642] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 66.253180][ T8642] } [ 66.255757][ T8642] ... key at: [] __key.46104+0x0/0x40 [ 66.268407][ T8642] ... acquired at: [ 66.272304][ T8642] _raw_spin_lock+0x2f/0x40 [ 66.276965][ T8642] userfaultfd_read+0x540/0x1940 [ 66.282081][ T8642] __vfs_read+0x8a/0x110 [ 66.286478][ T8642] vfs_read+0x194/0x3e0 [ 66.290789][ T8642] ksys_read+0x14f/0x290 [ 66.295191][ T8642] __x64_sys_read+0x73/0xb0 [ 66.299851][ T8642] do_syscall_64+0xfd/0x680 [ 66.304507][ T8642] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 66.310543][ T8642] [ 66.312871][ T8642] -> (&ctx->fault_pending_wqh){+.+.} { [ 66.318319][ T8642] HARDIRQ-ON-W at: [ 66.322283][ T8642] lock_acquire+0x16f/0x3f0 [ 66.328411][ T8642] _raw_spin_lock+0x2f/0x40 [ 66.334564][ T8642] userfaultfd_release+0x4ca/0x710 [ 66.341336][ T8642] __fput+0x2ff/0x890 [ 66.346953][ T8642] ____fput+0x16/0x20 [ 66.352568][ T8642] task_work_run+0x145/0x1c0 [ 66.358976][ T8642] do_exit+0x90a/0x2fa0 [ 66.365036][ T8642] do_group_exit+0x135/0x370 [ 66.371263][ T8642] get_signal+0x471/0x24b0 [ 66.377306][ T8642] do_signal+0x87/0x1900 [ 66.383179][ T8642] exit_to_usermode_loop+0x244/0x2c0 [ 66.390095][ T8642] do_syscall_64+0x58e/0x680 [ 66.396316][ T8642] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 66.403827][ T8642] SOFTIRQ-ON-W at: [ 66.407883][ T8642] lock_acquire+0x16f/0x3f0 [ 66.414010][ T8642] _raw_spin_lock+0x2f/0x40 [ 66.420138][ T8642] userfaultfd_release+0x4ca/0x710 [ 66.426881][ T8642] __fput+0x2ff/0x890 [ 66.432518][ T8642] ____fput+0x16/0x20 [ 66.438149][ T8642] task_work_run+0x145/0x1c0 [ 66.444371][ T8642] do_exit+0x90a/0x2fa0 [ 66.450177][ T8642] do_group_exit+0x135/0x370 [ 66.457102][ T8642] get_signal+0x471/0x24b0 [ 66.463152][ T8642] do_signal+0x87/0x1900 [ 66.469122][ T8642] exit_to_usermode_loop+0x244/0x2c0 [ 66.476065][ T8642] do_syscall_64+0x58e/0x680 [ 66.482297][ T8642] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 66.489813][ T8642] INITIAL USE at: [ 66.493764][ T8642] lock_acquire+0x16f/0x3f0 [ 66.499817][ T8642] _raw_spin_lock+0x2f/0x40 [ 66.505862][ T8642] userfaultfd_read+0x540/0x1940 [ 66.512336][ T8642] __vfs_read+0x8a/0x110 [ 66.518114][ T8642] vfs_read+0x194/0x3e0 [ 66.523805][ T8642] ksys_read+0x14f/0x290 [ 66.529589][ T8642] __x64_sys_read+0x73/0xb0 [ 66.535641][ T8642] do_syscall_64+0xfd/0x680 [ 66.541691][ T8642] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 66.549208][ T8642] } [ 66.551696][ T8642] ... key at: [] __key.46101+0x0/0x40 [ 66.559129][ T8642] ... acquired at: [ 66.562938][ T8642] mark_lock+0x420/0x1370 [ 66.567437][ T8642] __lock_acquire+0x12df/0x5490 [ 66.572441][ T8642] lock_acquire+0x16f/0x3f0 [ 66.577098][ T8642] _raw_spin_lock+0x2f/0x40 [ 66.581764][ T8642] userfaultfd_release+0x4ca/0x710 [ 66.587026][ T8642] __fput+0x2ff/0x890 [ 66.591161][ T8642] ____fput+0x16/0x20 [ 66.595296][ T8642] task_work_run+0x145/0x1c0 [ 66.600042][ T8642] do_exit+0x90a/0x2fa0 [ 66.604444][ T8642] do_group_exit+0x135/0x370 [ 66.609272][ T8642] get_signal+0x471/0x24b0 [ 66.613836][ T8642] do_signal+0x87/0x1900 [ 66.618234][ T8642] exit_to_usermode_loop+0x244/0x2c0 [ 66.623673][ T8642] do_syscall_64+0x58e/0x680 [ 66.628417][ T8642] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 66.634451][ T8642] [ 66.636761][ T8642] [ 66.636761][ T8642] stack backtrace: [ 66.642631][ T8642] CPU: 0 PID: 8642 Comm: syz-executor465 Not tainted 5.2.0-rc4+ #34 [ 66.650630][ T8642] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 66.660679][ T8642] Call Trace: [ 66.663977][ T8642] dump_stack+0x172/0x1f0 [ 66.668295][ T8642] print_irq_inversion_bug.part.0+0x2c5/0x2d2 [ 66.674430][ T8642] check_usage_backwards.cold+0x1d/0x26 [ 66.680262][ T8642] ? print_shortest_lock_dependencies+0x90/0x90 [ 66.686489][ T8642] ? stack_trace_save+0xac/0xe0 [ 66.691312][ T8642] ? stack_trace_consume_entry+0x190/0x190 [ 66.697183][ T8642] ? kasan_check_write+0x14/0x20 [ 66.702102][ T8642] ? graph_lock+0x7b/0x200 [ 66.706491][ T8642] ? __lockdep_reset_lock+0x450/0x450 [ 66.711853][ T8642] mark_lock+0x420/0x1370 [ 66.716179][ T8642] ? print_shortest_lock_dependencies+0x90/0x90 [ 66.722395][ T8642] __lock_acquire+0x12df/0x5490 [ 66.727243][ T8642] ? kasan_check_write+0x14/0x20 [ 66.732165][ T8642] ? mark_held_locks+0xf0/0xf0 [ 66.737100][ T8642] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 66.742901][ T8642] ? stack_depot_save+0x25a/0x450 [ 66.747907][ T8642] lock_acquire+0x16f/0x3f0 [ 66.752389][ T8642] ? userfaultfd_release+0x4ca/0x710 [ 66.757650][ T8642] _raw_spin_lock+0x2f/0x40 [ 66.762141][ T8642] ? userfaultfd_release+0x4ca/0x710 [ 66.767420][ T8642] userfaultfd_release+0x4ca/0x710 [ 66.772606][ T8642] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 66.778438][ T8642] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 66.784661][ T8642] ? ima_file_free+0xc9/0x4a0 [ 66.789409][ T8642] __fput+0x2ff/0x890 [ 66.793367][ T8642] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 66.799243][ T8642] ____fput+0x16/0x20 [ 66.803381][ T8642] task_work_run+0x145/0x1c0 [ 66.807969][ T8642] do_exit+0x90a/0x2fa0 [ 66.812109][ T8642] ? get_signal+0x387/0x24b0 [ 66.816683][ T8642] ? mm_update_next_owner+0x640/0x640 [ 66.822031][ T8642] ? kasan_check_write+0x14/0x20 [ 66.826944][ T8642] ? _raw_spin_unlock_irq+0x28/0x90 [ 66.832121][ T8642] ? get_signal+0x387/0x24b0 [ 66.836738][ T8642] ? _raw_spin_unlock_irq+0x28/0x90 [ 66.841937][ T8642] do_group_exit+0x135/0x370 [ 66.846512][ T8642] get_signal+0x471/0x24b0 [ 66.850926][ T8642] ? exit_robust_list+0x2c0/0x2c0 [ 66.855936][ T8642] do_signal+0x87/0x1900 [ 66.860162][ T8642] ? lock_downgrade+0x880/0x880 [ 66.864996][ T8642] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 66.871215][ T8642] ? kasan_check_read+0x11/0x20 [ 66.876160][ T8642] ? setup_sigcontext+0x7d0/0x7d0 [ 66.881176][ T8642] ? exit_to_usermode_loop+0x43/0x2c0 [ 66.886523][ T8642] ? do_syscall_64+0x58e/0x680 [ 66.891260][ T8642] ? exit_to_usermode_loop+0x43/0x2c0 [ 66.896718][ T8642] ? lockdep_hardirqs_on+0x418/0x5d0 [ 66.902151][ T8642] ? trace_hardirqs_on+0x67/0x220 [ 66.907151][ T8642] exit_to_usermode_loop+0x244/0x2c0 [ 66.912426][ T8642] do_syscall_64+0x58e/0x680 [ 66.917000][ T8642] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 66.922864][ T8642] RIP: 0033:0x4458f9 [ 66.926747][ T8642] Code: Bad RIP value. [ 66.930802][ T8642] RSP: 002b:00007ff0a6f2cdb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 66.939200][ T8642] RAX: fffffffffffffe00 RBX: 00000000006dac58 RCX: 00000000004458f9 [ 66.947180][ T8642] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dac58 [ 66.955137][ T8642] RBP: 00000000006dac50 R08: 0000000000000000 R09: 0000000000000000 [ 66.963441][ T8642] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac5c [ 66.971508]