[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 39.840685][ T26] audit: type=1800 audit(1554248888.276:25): pid=7750 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 39.872866][ T26] audit: type=1800 audit(1554248888.276:26): pid=7750 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 39.904448][ T26] audit: type=1800 audit(1554248888.286:27): pid=7750 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.183' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 52.236662][ T7903] [ 52.239005][ T7903] ======================================================== [ 52.246175][ T7903] WARNING: possible irq lock inversion dependency detected [ 52.253346][ T7903] 5.1.0-rc3+ #47 Not tainted [ 52.257905][ T7903] -------------------------------------------------------- [ 52.265073][ T7903] syz-executor161/7903 just changed the state of lock: [ 52.273304][ T7903] 0000000088b9ddb2 (&ctx->fault_pending_wqh){+.+.}, at: userfaultfd_release+0x48e/0x6d0 [ 52.285922][ T7903] but this lock was taken by another, SOFTIRQ-safe lock in the past: [ 52.293968][ T7903] (&(&ctx->ctx_lock)->rlock){..-.} [ 52.293975][ T7903] [ 52.293975][ T7903] [ 52.293975][ T7903] and interrupts could create inverse lock ordering between them. [ 52.293975][ T7903] [ 52.313420][ T7903] [ 52.313420][ T7903] other info that might help us debug this: [ 52.321450][ T7903] Chain exists of: [ 52.321450][ T7903] &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh [ 52.321450][ T7903] [ 52.335650][ T7903] Possible interrupt unsafe locking scenario: [ 52.335650][ T7903] [ 52.343959][ T7903] CPU0 CPU1 [ 52.349307][ T7903] ---- ---- [ 52.354666][ T7903] lock(&ctx->fault_pending_wqh); [ 52.359750][ T7903] local_irq_disable(); [ 52.366481][ T7903] lock(&(&ctx->ctx_lock)->rlock); [ 52.374173][ T7903] lock(&ctx->fd_wqh); [ 52.380822][ T7903] [ 52.384252][ T7903] lock(&(&ctx->ctx_lock)->rlock); [ 52.389600][ T7903] [ 52.389600][ T7903] *** DEADLOCK *** [ 52.389600][ T7903] [ 52.397720][ T7903] no locks held by syz-executor161/7903. [ 52.403342][ T7903] [ 52.403342][ T7903] the shortest dependencies between 2nd lock and 1st lock: [ 52.412693][ T7903] -> (&(&ctx->ctx_lock)->rlock){..-.} { [ 52.418400][ T7903] IN-SOFTIRQ-W at: [ 52.422537][ T7903] lock_acquire+0x16f/0x3f0 [ 52.429017][ T7903] _raw_spin_lock_irq+0x60/0x80 [ 52.435846][ T7903] free_ioctx_users+0x2d/0x4a0 [ 52.442584][ T7903] percpu_ref_switch_to_atomic_rcu+0x3e7/0x520 [ 52.450773][ T7903] rcu_core+0x928/0x1390 [ 52.457009][ T7903] __do_softirq+0x266/0x95a [ 52.463489][ T7903] irq_exit+0x180/0x1d0 [ 52.469620][ T7903] smp_apic_timer_interrupt+0x14a/0x570 [ 52.477138][ T7903] apic_timer_interrupt+0xf/0x20 [ 52.484044][ T7903] native_safe_halt+0x2/0x10 [ 52.490641][ T7903] arch_cpu_idle+0x10/0x20 [ 52.497043][ T7903] default_idle_call+0x36/0x90 [ 52.503780][ T7903] do_idle+0x386/0x570 [ 52.509823][ T7903] cpu_startup_entry+0x1b/0x20 [ 52.516576][ T7903] rest_init+0x245/0x37b [ 52.522813][ T7903] arch_call_rest_init+0xe/0x1b [ 52.529737][ T7903] start_kernel+0x816/0x84f [ 52.536236][ T7903] x86_64_start_reservations+0x29/0x2b [ 52.543679][ T7903] x86_64_start_kernel+0x77/0x7b [ 52.550589][ T7903] secondary_startup_64+0xa4/0xb0 [ 52.557592][ T7903] INITIAL USE at: [ 52.561654][ T7903] lock_acquire+0x16f/0x3f0 [ 52.568128][ T7903] _raw_spin_lock_irq+0x60/0x80 [ 52.574882][ T7903] io_submit_one+0xaec/0x2f90 [ 52.581446][ T7903] __x64_sys_io_submit+0x1bd/0x580 [ 52.588448][ T7903] do_syscall_64+0x103/0x610 [ 52.594928][ T7903] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.602702][ T7903] } [ 52.605363][ T7903] ... key at: [] __key.52649+0x0/0x40 [ 52.612960][ T7903] ... acquired at: [ 52.616945][ T7903] lock_acquire+0x16f/0x3f0 [ 52.621595][ T7903] _raw_spin_lock+0x2f/0x40 [ 52.626246][ T7903] io_submit_one+0xb31/0x2f90 [ 52.631072][ T7903] __x64_sys_io_submit+0x1bd/0x580 [ 52.636343][ T7903] do_syscall_64+0x103/0x610 [ 52.641083][ T7903] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.647141][ T7903] [ 52.649447][ T7903] -> (&ctx->fd_wqh){....} { [ 52.654011][ T7903] INITIAL USE at: [ 52.657970][ T7903] lock_acquire+0x16f/0x3f0 [ 52.664185][ T7903] _raw_spin_lock_irq+0x60/0x80 [ 52.670833][ T7903] userfaultfd_read+0x27a/0x1940 [ 52.677483][ T7903] __vfs_read+0x8d/0x110 [ 52.683436][ T7903] vfs_read+0x194/0x3e0 [ 52.689303][ T7903] ksys_read+0xea/0x1f0 [ 52.695204][ T7903] __x64_sys_read+0x73/0xb0 [ 52.701441][ T7903] do_syscall_64+0x103/0x610 [ 52.707746][ T7903] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.715347][ T7903] } [ 52.717912][ T7903] ... key at: [] __key.45459+0x0/0x40 [ 52.725430][ T7903] ... acquired at: [ 52.729322][ T7903] lock_acquire+0x16f/0x3f0 [ 52.733979][ T7903] _raw_spin_lock+0x2f/0x40 [ 52.738639][ T7903] userfaultfd_read+0x540/0x1940 [ 52.743734][ T7903] __vfs_read+0x8d/0x110 [ 52.748125][ T7903] vfs_read+0x194/0x3e0 [ 52.752431][ T7903] ksys_read+0xea/0x1f0 [ 52.756733][ T7903] __x64_sys_read+0x73/0xb0 [ 52.761388][ T7903] do_syscall_64+0x103/0x610 [ 52.766125][ T7903] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.772172][ T7903] [ 52.774493][ T7903] -> (&ctx->fault_pending_wqh){+.+.} { [ 52.779922][ T7903] HARDIRQ-ON-W at: [ 52.783895][ T7903] lock_acquire+0x16f/0x3f0 [ 52.790027][ T7903] _raw_spin_lock+0x2f/0x40 [ 52.796172][ T7903] userfaultfd_release+0x48e/0x6d0 [ 52.802907][ T7903] __fput+0x2e5/0x8d0 [ 52.808533][ T7903] ____fput+0x16/0x20 [ 52.814240][ T7903] task_work_run+0x14a/0x1c0 [ 52.820486][ T7903] do_exit+0x90a/0x2fa0 [ 52.826269][ T7903] do_group_exit+0x135/0x370 [ 52.832501][ T7903] get_signal+0x399/0x1d50 [ 52.838675][ T7903] do_signal+0x87/0x1940 [ 52.844557][ T7903] exit_to_usermode_loop+0x244/0x2c0 [ 52.851483][ T7903] do_syscall_64+0x52d/0x610 [ 52.857702][ T7903] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.865214][ T7903] SOFTIRQ-ON-W at: [ 52.869176][ T7903] lock_acquire+0x16f/0x3f0 [ 52.875392][ T7903] _raw_spin_lock+0x2f/0x40 [ 52.881527][ T7903] userfaultfd_release+0x48e/0x6d0 [ 52.888272][ T7903] __fput+0x2e5/0x8d0 [ 52.893889][ T7903] ____fput+0x16/0x20 [ 52.899502][ T7903] task_work_run+0x14a/0x1c0 [ 52.905720][ T7903] do_exit+0x90a/0x2fa0 [ 52.911500][ T7903] do_group_exit+0x135/0x370 [ 52.917719][ T7903] get_signal+0x399/0x1d50 [ 52.923769][ T7903] do_signal+0x87/0x1940 [ 52.929646][ T7903] exit_to_usermode_loop+0x244/0x2c0 [ 52.936564][ T7903] do_syscall_64+0x52d/0x610 [ 52.942800][ T7903] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.950309][ T7903] INITIAL USE at: [ 52.954181][ T7903] lock_acquire+0x16f/0x3f0 [ 52.960220][ T7903] _raw_spin_lock+0x2f/0x40 [ 52.966264][ T7903] userfaultfd_read+0x540/0x1940 [ 52.972743][ T7903] __vfs_read+0x8d/0x110 [ 52.978528][ T7903] vfs_read+0x194/0x3e0 [ 52.984243][ T7903] ksys_read+0xea/0x1f0 [ 52.989961][ T7903] __x64_sys_read+0x73/0xb0 [ 52.996021][ T7903] do_syscall_64+0x103/0x610 [ 53.002150][ T7903] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.009575][ T7903] } [ 53.012054][ T7903] ... key at: [] __key.45456+0x0/0x40 [ 53.019479][ T7903] ... acquired at: [ 53.023284][ T7903] mark_lock+0x427/0x1380 [ 53.027783][ T7903] __lock_acquire+0x1317/0x3fb0 [ 53.032782][ T7903] lock_acquire+0x16f/0x3f0 [ 53.037433][ T7903] _raw_spin_lock+0x2f/0x40 [ 53.042102][ T7903] userfaultfd_release+0x48e/0x6d0 [ 53.047362][ T7903] __fput+0x2e5/0x8d0 [ 53.051512][ T7903] ____fput+0x16/0x20 [ 53.055645][ T7903] task_work_run+0x14a/0x1c0 [ 53.060383][ T7903] do_exit+0x90a/0x2fa0 [ 53.064684][ T7903] do_group_exit+0x135/0x370 [ 53.069421][ T7903] get_signal+0x399/0x1d50 [ 53.073987][ T7903] do_signal+0x87/0x1940 [ 53.078381][ T7903] exit_to_usermode_loop+0x244/0x2c0 [ 53.083809][ T7903] do_syscall_64+0x52d/0x610 [ 53.088554][ T7903] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.094588][ T7903] [ 53.096895][ T7903] [ 53.096895][ T7903] stack backtrace: [ 53.102763][ T7903] CPU: 0 PID: 7903 Comm: syz-executor161 Not tainted 5.1.0-rc3+ #47 [ 53.110709][ T7903] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.120758][ T7903] Call Trace: [ 53.124053][ T7903] dump_stack+0x172/0x1f0 [ 53.128364][ T7903] print_irq_inversion_bug.part.0+0x2c0/0x2cd [ 53.134405][ T7903] check_usage_backwards.cold+0x1d/0x26 [ 53.139973][ T7903] ? print_shortest_lock_dependencies+0x90/0x90 [ 53.146196][ T7903] ? save_stack_trace+0x1a/0x20 [ 53.151050][ T7903] mark_lock+0x427/0x1380 [ 53.155359][ T7903] ? print_shortest_lock_dependencies+0x90/0x90 [ 53.161595][ T7903] __lock_acquire+0x1317/0x3fb0 [ 53.166421][ T7903] ? trace_hardirqs_off+0x62/0x220 [ 53.171528][ T7903] ? kasan_check_read+0x11/0x20 [ 53.176377][ T7903] ? mark_held_locks+0xf0/0xf0 [ 53.181116][ T7903] ? save_stack+0xa9/0xd0 [ 53.185432][ T7903] ? save_stack+0x45/0xd0 [ 53.189733][ T7903] ? __kasan_slab_free+0x102/0x150 [ 53.194819][ T7903] ? kasan_slab_free+0xe/0x10 [ 53.199470][ T7903] ? kmem_cache_free+0x86/0x260 [ 53.204291][ T7903] ? free_fs_struct+0x4f/0x70 [ 53.208962][ T7903] ? exit_fs+0xf0/0x130 [ 53.213099][ T7903] lock_acquire+0x16f/0x3f0 [ 53.217582][ T7903] ? userfaultfd_release+0x48e/0x6d0 [ 53.222843][ T7903] _raw_spin_lock+0x2f/0x40 [ 53.227322][ T7903] ? userfaultfd_release+0x48e/0x6d0 [ 53.232592][ T7903] userfaultfd_release+0x48e/0x6d0 [ 53.237685][ T7903] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 53.243489][ T7903] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 53.249812][ T7903] ? ima_file_free+0xc9/0x4a0 [ 53.254466][ T7903] ? __might_sleep+0x95/0x190 [ 53.259117][ T7903] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 53.264941][ T7903] __fput+0x2e5/0x8d0 [ 53.268909][ T7903] ____fput+0x16/0x20 [ 53.272882][ T7903] task_work_run+0x14a/0x1c0 [ 53.277449][ T7903] do_exit+0x90a/0x2fa0 [ 53.281579][ T7903] ? get_signal+0x331/0x1d50 [ 53.286145][ T7903] ? mm_update_next_owner+0x640/0x640 [ 53.291508][ T7903] ? kasan_check_write+0x14/0x20 [ 53.296423][ T7903] ? _raw_spin_unlock_irq+0x28/0x90 [ 53.301600][ T7903] ? get_signal+0x331/0x1d50 [ 53.306341][ T7903] ? _raw_spin_unlock_irq+0x28/0x90 [ 53.311515][ T7903] do_group_exit+0x135/0x370 [ 53.316109][ T7903] get_signal+0x399/0x1d50 [ 53.320519][ T7903] ? __x64_sys_io_submit+0x31f/0x580 [ 53.325788][ T7903] do_signal+0x87/0x1940 [ 53.330024][ T7903] ? lock_downgrade+0x880/0x880 [ 53.334877][ T7903] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.341101][ T7903] ? kasan_check_read+0x11/0x20 [ 53.345933][ T7903] ? setup_sigcontext+0x7d0/0x7d0 [ 53.350939][ T7903] ? exit_to_usermode_loop+0x43/0x2c0 [ 53.356290][ T7903] ? do_syscall_64+0x52d/0x610 [ 53.361030][ T7903] ? exit_to_usermode_loop+0x43/0x2c0 [ 53.366382][ T7903] ? lockdep_hardirqs_on+0x418/0x5d0 [ 53.371642][ T7903] ? trace_hardirqs_on+0x67/0x230 [ 53.376663][ T7903] exit_to_usermode_loop+0x244/0x2c0 [ 53.381924][ T7903] do_syscall_64+0x52d/0x610 [ 53.386666][ T7903] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.392527][ T7903] RIP: 0033:0x4458d9 [ 53.396401][ T7903] Code: Bad RIP value. [ 53.400452][ T7903] RSP: 002b:00007ffbf0ac2db8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 53.408838][ T7903] RAX: fffffffffffffe00 RBX: 00000000006dac58 RCX: 00000000004458d9 [ 53.416794][ T7903] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dac58 [ 53.424759][ T7903] RBP: 00000000006dac50 R08: 0000000000000000 R09: 0000000000000000 [ 53.432714][ T7903] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac5c [ 53.440662][ T