[ 40.483262][ T26] audit: type=1800 audit(1554316653.510:25): pid=7718 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 40.518718][ T26] audit: type=1800 audit(1554316653.510:26): pid=7718 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 40.540372][ T26] audit: type=1800 audit(1554316653.510:27): pid=7718 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] startpar: service(s) returned failure: ssh ...[?25l[?1c7[FAIL8[?25h[?0c failed! Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.192' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 55.652842][ T7895] [ 55.655320][ T7895] ======================================================== [ 55.662582][ T7895] WARNING: possible irq lock inversion dependency detected [ 55.669973][ T7895] 5.1.0-rc3+ #49 Not tainted [ 55.674608][ T7895] -------------------------------------------------------- [ 55.682035][ T7895] syz-executor080/7895 just changed the state of lock: [ 55.688960][ T7895] 00000000392d4921 (&ctx->fault_pending_wqh){+.+.}, at: userfaultfd_release+0x48e/0x6d0 [ 55.699173][ T7895] but this lock was taken by another, SOFTIRQ-safe lock in the past: [ 55.707597][ T7895] (&(&ctx->ctx_lock)->rlock){..-.} [ 55.707606][ T7895] [ 55.707606][ T7895] [ 55.707606][ T7895] and interrupts could create inverse lock ordering between them. [ 55.707606][ T7895] [ 55.727571][ T7895] [ 55.727571][ T7895] other info that might help us debug this: [ 55.735669][ T7895] Chain exists of: [ 55.735669][ T7895] &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh [ 55.735669][ T7895] [ 55.750067][ T7895] Possible interrupt unsafe locking scenario: [ 55.750067][ T7895] [ 55.759260][ T7895] CPU0 CPU1 [ 55.764742][ T7895] ---- ---- [ 55.770374][ T7895] lock(&ctx->fault_pending_wqh); [ 55.775579][ T7895] local_irq_disable(); [ 55.782322][ T7895] lock(&(&ctx->ctx_lock)->rlock); [ 55.790350][ T7895] lock(&ctx->fd_wqh); [ 55.797066][ T7895] [ 55.800603][ T7895] lock(&(&ctx->ctx_lock)->rlock); [ 55.805981][ T7895] [ 55.805981][ T7895] *** DEADLOCK *** [ 55.805981][ T7895] [ 55.814126][ T7895] no locks held by syz-executor080/7895. [ 55.819753][ T7895] [ 55.819753][ T7895] the shortest dependencies between 2nd lock and 1st lock: [ 55.829119][ T7895] -> (&(&ctx->ctx_lock)->rlock){..-.} { [ 55.834930][ T7895] IN-SOFTIRQ-W at: [ 55.839081][ T7895] lock_acquire+0x16f/0x3f0 [ 55.845701][ T7895] _raw_spin_lock_irq+0x60/0x80 [ 55.852572][ T7895] free_ioctx_users+0x2d/0x4a0 [ 55.859372][ T7895] percpu_ref_switch_to_atomic_rcu+0x3e7/0x520 [ 55.867786][ T7895] rcu_core+0x928/0x1390 [ 55.874017][ T7895] __do_softirq+0x266/0x95a [ 55.880746][ T7895] irq_exit+0x180/0x1d0 [ 55.886897][ T7895] smp_apic_timer_interrupt+0x14a/0x570 [ 55.894610][ T7895] apic_timer_interrupt+0xf/0x20 [ 55.901541][ T7895] native_safe_halt+0x2/0x10 [ 55.908242][ T7895] arch_cpu_idle+0x10/0x20 [ 55.914646][ T7895] default_idle_call+0x36/0x90 [ 55.921395][ T7895] do_idle+0x386/0x570 [ 55.927457][ T7895] cpu_startup_entry+0x1b/0x20 [ 55.934235][ T7895] rest_init+0x245/0x37b [ 55.940468][ T7895] arch_call_rest_init+0xe/0x1b [ 55.947363][ T7895] start_kernel+0x816/0x84f [ 55.954121][ T7895] x86_64_start_reservations+0x29/0x2b [ 55.961567][ T7895] x86_64_start_kernel+0x77/0x7b [ 55.968499][ T7895] secondary_startup_64+0xa4/0xb0 [ 55.975562][ T7895] INITIAL USE at: [ 55.979630][ T7895] lock_acquire+0x16f/0x3f0 [ 55.986200][ T7895] _raw_spin_lock_irq+0x60/0x80 [ 55.993105][ T7895] io_submit_one+0xaec/0x2f90 [ 56.000164][ T7895] __x64_sys_io_submit+0x1bd/0x580 [ 56.007392][ T7895] do_syscall_64+0x103/0x610 [ 56.013893][ T7895] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.021805][ T7895] } [ 56.024477][ T7895] ... key at: [] __key.52649+0x0/0x40 [ 56.032105][ T7895] ... acquired at: [ 56.036077][ T7895] lock_acquire+0x16f/0x3f0 [ 56.040741][ T7895] _raw_spin_lock+0x2f/0x40 [ 56.046160][ T7895] io_submit_one+0xb31/0x2f90 [ 56.051013][ T7895] __x64_sys_io_submit+0x1bd/0x580 [ 56.056342][ T7895] do_syscall_64+0x103/0x610 [ 56.061182][ T7895] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.067232][ T7895] [ 56.069545][ T7895] -> (&ctx->fd_wqh){....} { [ 56.074120][ T7895] INITIAL USE at: [ 56.078090][ T7895] lock_acquire+0x16f/0x3f0 [ 56.084445][ T7895] _raw_spin_lock_irq+0x60/0x80 [ 56.091478][ T7895] userfaultfd_read+0x27a/0x1940 [ 56.098351][ T7895] __vfs_read+0x8d/0x110 [ 56.104321][ T7895] vfs_read+0x194/0x3e0 [ 56.110332][ T7895] ksys_read+0xea/0x1f0 [ 56.116221][ T7895] __x64_sys_read+0x73/0xb0 [ 56.122454][ T7895] do_syscall_64+0x103/0x610 [ 56.128775][ T7895] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.136648][ T7895] } [ 56.139231][ T7895] ... key at: [] __key.45459+0x0/0x40 [ 56.146819][ T7895] ... acquired at: [ 56.150711][ T7895] lock_acquire+0x16f/0x3f0 [ 56.155378][ T7895] _raw_spin_lock+0x2f/0x40 [ 56.160183][ T7895] userfaultfd_read+0x540/0x1940 [ 56.165298][ T7895] __vfs_read+0x8d/0x110 [ 56.169772][ T7895] vfs_read+0x194/0x3e0 [ 56.174102][ T7895] ksys_read+0xea/0x1f0 [ 56.178417][ T7895] __x64_sys_read+0x73/0xb0 [ 56.183199][ T7895] do_syscall_64+0x103/0x610 [ 56.187955][ T7895] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.194122][ T7895] [ 56.197473][ T7895] -> (&ctx->fault_pending_wqh){+.+.} { [ 56.202926][ T7895] HARDIRQ-ON-W at: [ 56.206902][ T7895] lock_acquire+0x16f/0x3f0 [ 56.213280][ T7895] _raw_spin_lock+0x2f/0x40 [ 56.219433][ T7895] userfaultfd_release+0x48e/0x6d0 [ 56.226375][ T7895] __fput+0x2e5/0x8d0 [ 56.231998][ T7895] ____fput+0x16/0x20 [ 56.237622][ T7895] task_work_run+0x14a/0x1c0 [ 56.243895][ T7895] do_exit+0x90a/0x2fa0 [ 56.249795][ T7895] do_group_exit+0x135/0x370 [ 56.256037][ T7895] get_signal+0x399/0x1d50 [ 56.262102][ T7895] do_signal+0x87/0x1940 [ 56.268209][ T7895] exit_to_usermode_loop+0x244/0x2c0 [ 56.275142][ T7895] do_syscall_64+0x52d/0x610 [ 56.281519][ T7895] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.289804][ T7895] SOFTIRQ-ON-W at: [ 56.293784][ T7895] lock_acquire+0x16f/0x3f0 [ 56.300461][ T7895] _raw_spin_lock+0x2f/0x40 [ 56.306615][ T7895] userfaultfd_release+0x48e/0x6d0 [ 56.313379][ T7895] __fput+0x2e5/0x8d0 [ 56.319140][ T7895] ____fput+0x16/0x20 [ 56.325660][ T7895] task_work_run+0x14a/0x1c0 [ 56.331904][ T7895] do_exit+0x90a/0x2fa0 [ 56.337706][ T7895] do_group_exit+0x135/0x370 [ 56.344035][ T7895] get_signal+0x399/0x1d50 [ 56.350090][ T7895] do_signal+0x87/0x1940 [ 56.355979][ T7895] exit_to_usermode_loop+0x244/0x2c0 [ 56.363227][ T7895] do_syscall_64+0x52d/0x610 [ 56.369639][ T7895] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.377408][ T7895] INITIAL USE at: [ 56.381320][ T7895] lock_acquire+0x16f/0x3f0 [ 56.387440][ T7895] _raw_spin_lock+0x2f/0x40 [ 56.393771][ T7895] userfaultfd_read+0x540/0x1940 [ 56.400273][ T7895] __vfs_read+0x8d/0x110 [ 56.406217][ T7895] vfs_read+0x194/0x3e0 [ 56.411930][ T7895] ksys_read+0xea/0x1f0 [ 56.417739][ T7895] __x64_sys_read+0x73/0xb0 [ 56.423796][ T7895] do_syscall_64+0x103/0x610 [ 56.429973][ T7895] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.437497][ T7895] } [ 56.439987][ T7895] ... key at: [] __key.45456+0x0/0x40 [ 56.447551][ T7895] ... acquired at: [ 56.451745][ T7895] mark_lock+0x427/0x1380 [ 56.456243][ T7895] __lock_acquire+0x1317/0x3fb0 [ 56.461257][ T7895] lock_acquire+0x16f/0x3f0 [ 56.466032][ T7895] _raw_spin_lock+0x2f/0x40 [ 56.470699][ T7895] userfaultfd_release+0x48e/0x6d0 [ 56.476023][ T7895] __fput+0x2e5/0x8d0 [ 56.480179][ T7895] ____fput+0x16/0x20 [ 56.484404][ T7895] task_work_run+0x14a/0x1c0 [ 56.489172][ T7895] do_exit+0x90a/0x2fa0 [ 56.493490][ T7895] do_group_exit+0x135/0x370 [ 56.498249][ T7895] get_signal+0x399/0x1d50 [ 56.502828][ T7895] do_signal+0x87/0x1940 [ 56.507237][ T7895] exit_to_usermode_loop+0x244/0x2c0 [ 56.512887][ T7895] do_syscall_64+0x52d/0x610 [ 56.517646][ T7895] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.523811][ T7895] [ 56.526224][ T7895] [ 56.526224][ T7895] stack backtrace: [ 56.532380][ T7895] CPU: 0 PID: 7895 Comm: syz-executor080 Not tainted 5.1.0-rc3+ #49 [ 56.550022][ T7895] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.560756][ T7895] Call Trace: [ 56.564051][ T7895] dump_stack+0x172/0x1f0 [ 56.568368][ T7895] print_irq_inversion_bug.part.0+0x2c0/0x2cd [ 56.574808][ T7895] check_usage_backwards.cold+0x1d/0x26 [ 56.580358][ T7895] ? print_shortest_lock_dependencies+0x90/0x90 [ 56.586601][ T7895] ? save_stack_trace+0x1a/0x20 [ 56.591642][ T7895] mark_lock+0x427/0x1380 [ 56.596085][ T7895] ? print_shortest_lock_dependencies+0x90/0x90 [ 56.602458][ T7895] __lock_acquire+0x1317/0x3fb0 [ 56.607403][ T7895] ? trace_hardirqs_off+0x62/0x220 [ 56.612768][ T7895] ? kasan_check_read+0x11/0x20 [ 56.617832][ T7895] ? mark_held_locks+0xf0/0xf0 [ 56.622653][ T7895] ? save_stack+0xa9/0xd0 [ 56.626982][ T7895] ? save_stack+0x45/0xd0 [ 56.631324][ T7895] ? __kasan_slab_free+0x102/0x150 [ 56.636682][ T7895] ? kasan_slab_free+0xe/0x10 [ 56.641733][ T7895] ? kmem_cache_free+0x86/0x260 [ 56.646706][ T7895] ? free_fs_struct+0x4f/0x70 [ 56.651372][ T7895] ? exit_fs+0xf0/0x130 [ 56.655518][ T7895] lock_acquire+0x16f/0x3f0 [ 56.660009][ T7895] ? userfaultfd_release+0x48e/0x6d0 [ 56.665475][ T7895] _raw_spin_lock+0x2f/0x40 [ 56.669970][ T7895] ? userfaultfd_release+0x48e/0x6d0 [ 56.675560][ T7895] userfaultfd_release+0x48e/0x6d0 [ 56.680684][ T7895] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 56.686491][ T7895] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 56.692968][ T7895] ? ima_file_free+0xc9/0x4a0 [ 56.698143][ T7895] ? __might_sleep+0x95/0x190 [ 56.703109][ T7895] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 56.708959][ T7895] __fput+0x2e5/0x8d0 [ 56.713001][ T7895] ____fput+0x16/0x20 [ 56.717181][ T7895] task_work_run+0x14a/0x1c0 [ 56.722081][ T7895] do_exit+0x90a/0x2fa0 [ 56.726239][ T7895] ? get_signal+0x331/0x1d50 [ 56.730924][ T7895] ? mm_update_next_owner+0x640/0x640 [ 56.736288][ T7895] ? kasan_check_write+0x14/0x20 [ 56.741332][ T7895] ? _raw_spin_unlock_irq+0x28/0x90 [ 56.746527][ T7895] ? get_signal+0x331/0x1d50 [ 56.751120][ T7895] ? _raw_spin_unlock_irq+0x28/0x90 [ 56.756331][ T7895] do_group_exit+0x135/0x370 [ 56.761060][ T7895] get_signal+0x399/0x1d50 [ 56.765485][ T7895] ? __x64_sys_io_submit+0x31f/0x580 [ 56.770784][ T7895] do_signal+0x87/0x1940 [ 56.775017][ T7895] ? lock_downgrade+0x880/0x880 [ 56.780764][ T7895] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 56.788762][ T7895] ? kasan_check_read+0x11/0x20 [ 56.793984][ T7895] ? setup_sigcontext+0x7d0/0x7d0 [ 56.799465][ T7895] ? exit_to_usermode_loop+0x43/0x2c0 [ 56.805206][ T7895] ? do_syscall_64+0x52d/0x610 [ 56.809973][ T7895] ? exit_to_usermode_loop+0x43/0x2c0 [ 56.816269][ T7895] ? lockdep_hardirqs_on+0x418/0x5d0 [ 56.823646][ T7895] ? trace_hardirqs_on+0x67/0x230 [ 56.828666][ T7895] exit_to_usermode_loop+0x244/0x2c0 [ 56.833947][ T7895] do_syscall_64+0x52d/0x610 [ 56.838545][ T7895] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.844493][ T7895] RIP: 0033:0x4458d9 [ 56.848386][ T7895] Code: Bad RIP value. [ 56.852435][ T7895] RSP: 002b:00007f418d882db8 EFLAGS: 00000246 OR