[ 37.513522][ T27] audit: type=1800 audit(1554226137.643:27): pid=7577 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [ 37.540203][ T27] audit: type=1800 audit(1554226137.653:28): pid=7577 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 38.349044][ T27] audit: type=1800 audit(1554226138.533:29): pid=7577 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 38.369327][ T27] audit: type=1800 audit(1554226138.543:30): pid=7577 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.111' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 52.722310][ T7731] [ 52.724654][ T7731] ======================================================== [ 52.732122][ T7731] WARNING: possible irq lock inversion dependency detected [ 52.739433][ T7731] 5.1.0-rc3+ #47 Not tainted [ 52.744108][ T7731] -------------------------------------------------------- [ 52.751325][ T7731] syz-executor392/7731 just changed the state of lock: [ 52.758152][ T7731] 000000001b7d4672 (&ctx->fault_pending_wqh){+.+.}, at: userfaultfd_release+0x48e/0x6d0 [ 52.767869][ T7731] but this lock was taken by another, SOFTIRQ-safe lock in the past: [ 52.775899][ T7731] (&(&ctx->ctx_lock)->rlock){..-.} [ 52.775906][ T7731] [ 52.775906][ T7731] [ 52.775906][ T7731] and interrupts could create inverse lock ordering between them. [ 52.775906][ T7731] [ 52.795358][ T7731] [ 52.795358][ T7731] other info that might help us debug this: [ 52.803427][ T7731] Chain exists of: [ 52.803427][ T7731] &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh [ 52.803427][ T7731] [ 52.817730][ T7731] Possible interrupt unsafe locking scenario: [ 52.817730][ T7731] [ 52.826020][ T7731] CPU0 CPU1 [ 52.831357][ T7731] ---- ---- [ 52.836695][ T7731] lock(&ctx->fault_pending_wqh); [ 52.841781][ T7731] local_irq_disable(); [ 52.848666][ T7731] lock(&(&ctx->ctx_lock)->rlock); [ 52.856424][ T7731] lock(&ctx->fd_wqh); [ 52.863095][ T7731] [ 52.866656][ T7731] lock(&(&ctx->ctx_lock)->rlock); [ 52.871999][ T7731] [ 52.871999][ T7731] *** DEADLOCK *** [ 52.871999][ T7731] [ 52.880244][ T7731] no locks held by syz-executor392/7731. [ 52.885842][ T7731] [ 52.885842][ T7731] the shortest dependencies between 2nd lock and 1st lock: [ 52.895503][ T7731] -> (&(&ctx->ctx_lock)->rlock){..-.} { [ 52.901253][ T7731] IN-SOFTIRQ-W at: [ 52.905393][ T7731] lock_acquire+0x16f/0x3f0 [ 52.911882][ T7731] _raw_spin_lock_irq+0x60/0x80 [ 52.918703][ T7731] free_ioctx_users+0x2d/0x4a0 [ 52.925432][ T7731] percpu_ref_switch_to_atomic_rcu+0x3e7/0x520 [ 52.933622][ T7731] rcu_core+0x928/0x1390 [ 52.939836][ T7731] __do_softirq+0x266/0x95a [ 52.946305][ T7731] irq_exit+0x180/0x1d0 [ 52.952423][ T7731] smp_apic_timer_interrupt+0x14a/0x570 [ 52.960167][ T7731] apic_timer_interrupt+0xf/0x20 [ 52.967095][ T7731] native_safe_halt+0x2/0x10 [ 52.973880][ T7731] arch_cpu_idle+0x10/0x20 [ 52.980530][ T7731] default_idle_call+0x36/0x90 [ 52.987273][ T7731] do_idle+0x386/0x570 [ 52.993648][ T7731] cpu_startup_entry+0x1b/0x20 [ 53.000634][ T7731] rest_init+0x245/0x37b [ 53.006849][ T7731] arch_call_rest_init+0xe/0x1b [ 53.013806][ T7731] start_kernel+0x816/0x84f [ 53.020598][ T7731] x86_64_start_reservations+0x29/0x2b [ 53.028027][ T7731] x86_64_start_kernel+0x77/0x7b [ 53.034944][ T7731] secondary_startup_64+0xa4/0xb0 [ 53.042012][ T7731] INITIAL USE at: [ 53.046057][ T7731] lock_acquire+0x16f/0x3f0 [ 53.052438][ T7731] _raw_spin_lock_irq+0x60/0x80 [ 53.059424][ T7731] io_submit_one+0xaec/0x2f90 [ 53.066107][ T7731] __ia32_compat_sys_io_submit+0x1be/0x570 [ 53.073799][ T7731] do_fast_syscall_32+0x281/0xc98 [ 53.080815][ T7731] entry_SYSENTER_compat+0x70/0x7f [ 53.089322][ T7731] } [ 53.092441][ T7731] ... key at: [] __key.52649+0x0/0x40 [ 53.100100][ T7731] ... acquired at: [ 53.104062][ T7731] lock_acquire+0x16f/0x3f0 [ 53.108711][ T7731] _raw_spin_lock+0x2f/0x40 [ 53.113464][ T7731] io_submit_one+0xb31/0x2f90 [ 53.118303][ T7731] __ia32_compat_sys_io_submit+0x1be/0x570 [ 53.124482][ T7731] do_fast_syscall_32+0x281/0xc98 [ 53.129743][ T7731] entry_SYSENTER_compat+0x70/0x7f [ 53.135008][ T7731] [ 53.137428][ T7731] -> (&ctx->fd_wqh){....} { [ 53.142224][ T7731] INITIAL USE at: [ 53.146177][ T7731] lock_acquire+0x16f/0x3f0 [ 53.152694][ T7731] _raw_spin_lock_irq+0x60/0x80 [ 53.159320][ T7731] userfaultfd_read+0x27a/0x1940 [ 53.165969][ T7731] __vfs_read+0x8d/0x110 [ 53.172077][ T7731] vfs_read+0x194/0x3e0 [ 53.178044][ T7731] ksys_read+0xea/0x1f0 [ 53.183913][ T7731] __ia32_sys_read+0x71/0xb0 [ 53.190227][ T7731] do_fast_syscall_32+0x281/0xc98 [ 53.196965][ T7731] entry_SYSENTER_compat+0x70/0x7f [ 53.203787][ T7731] } [ 53.206353][ T7731] ... key at: [] __key.45459+0x0/0x40 [ 53.213865][ T7731] ... acquired at: [ 53.217729][ T7731] lock_acquire+0x16f/0x3f0 [ 53.222559][ T7731] _raw_spin_lock+0x2f/0x40 [ 53.227205][ T7731] userfaultfd_read+0x540/0x1940 [ 53.232380][ T7731] __vfs_read+0x8d/0x110 [ 53.236865][ T7731] vfs_read+0x194/0x3e0 [ 53.241217][ T7731] ksys_read+0xea/0x1f0 [ 53.245519][ T7731] __ia32_sys_read+0x71/0xb0 [ 53.250350][ T7731] do_fast_syscall_32+0x281/0xc98 [ 53.255519][ T7731] entry_SYSENTER_compat+0x70/0x7f [ 53.260770][ T7731] [ 53.263080][ T7731] -> (&ctx->fault_pending_wqh){+.+.} { [ 53.268551][ T7731] HARDIRQ-ON-W at: [ 53.272510][ T7731] lock_acquire+0x16f/0x3f0 [ 53.278653][ T7731] _raw_spin_lock+0x2f/0x40 [ 53.284769][ T7731] userfaultfd_release+0x48e/0x6d0 [ 53.291722][ T7731] __fput+0x2e5/0x8d0 [ 53.297325][ T7731] ____fput+0x16/0x20 [ 53.303066][ T7731] task_work_run+0x14a/0x1c0 [ 53.309282][ T7731] do_exit+0x90a/0x2fa0 [ 53.315072][ T7731] do_group_exit+0x135/0x370 [ 53.321339][ T7731] get_signal+0x399/0x1d50 [ 53.327382][ T7731] do_signal+0x87/0x1940 [ 53.333250][ T7731] exit_to_usermode_loop+0x244/0x2c0 [ 53.340159][ T7731] do_fast_syscall_32+0xa9d/0xc98 [ 53.346935][ T7731] entry_SYSENTER_compat+0x70/0x7f [ 53.353681][ T7731] SOFTIRQ-ON-W at: [ 53.357637][ T7731] lock_acquire+0x16f/0x3f0 [ 53.363814][ T7731] _raw_spin_lock+0x2f/0x40 [ 53.369942][ T7731] userfaultfd_release+0x48e/0x6d0 [ 53.376692][ T7731] __fput+0x2e5/0x8d0 [ 53.382295][ T7731] ____fput+0x16/0x20 [ 53.387894][ T7731] task_work_run+0x14a/0x1c0 [ 53.394246][ T7731] do_exit+0x90a/0x2fa0 [ 53.400077][ T7731] do_group_exit+0x135/0x370 [ 53.406288][ T7731] get_signal+0x399/0x1d50 [ 53.412325][ T7731] do_signal+0x87/0x1940 [ 53.418186][ T7731] exit_to_usermode_loop+0x244/0x2c0 [ 53.425124][ T7731] do_fast_syscall_32+0xa9d/0xc98 [ 53.431867][ T7731] entry_SYSENTER_compat+0x70/0x7f [ 53.438591][ T7731] INITIAL USE at: [ 53.442452][ T7731] lock_acquire+0x16f/0x3f0 [ 53.448546][ T7731] _raw_spin_lock+0x2f/0x40 [ 53.454585][ T7731] userfaultfd_read+0x540/0x1940 [ 53.461100][ T7731] __vfs_read+0x8d/0x110 [ 53.466879][ T7731] vfs_read+0x194/0x3e0 [ 53.472564][ T7731] ksys_read+0xea/0x1f0 [ 53.478263][ T7731] __ia32_sys_read+0x71/0xb0 [ 53.484620][ T7731] do_fast_syscall_32+0x281/0xc98 [ 53.491296][ T7731] entry_SYSENTER_compat+0x70/0x7f [ 53.497951][ T7731] } [ 53.500433][ T7731] ... key at: [] __key.45456+0x0/0x40 [ 53.507871][ T7731] ... acquired at: [ 53.511665][ T7731] mark_lock+0x427/0x1380 [ 53.516144][ T7731] __lock_acquire+0x1317/0x3fb0 [ 53.521138][ T7731] lock_acquire+0x16f/0x3f0 [ 53.525791][ T7731] _raw_spin_lock+0x2f/0x40 [ 53.530443][ T7731] userfaultfd_release+0x48e/0x6d0 [ 53.535696][ T7731] __fput+0x2e5/0x8d0 [ 53.540106][ T7731] ____fput+0x16/0x20 [ 53.544235][ T7731] task_work_run+0x14a/0x1c0 [ 53.549130][ T7731] do_exit+0x90a/0x2fa0 [ 53.553431][ T7731] do_group_exit+0x135/0x370 [ 53.558293][ T7731] get_signal+0x399/0x1d50 [ 53.562852][ T7731] do_signal+0x87/0x1940 [ 53.567237][ T7731] exit_to_usermode_loop+0x244/0x2c0 [ 53.572669][ T7731] do_fast_syscall_32+0xa9d/0xc98 [ 53.577834][ T7731] entry_SYSENTER_compat+0x70/0x7f [ 53.583093][ T7731] [ 53.585389][ T7731] [ 53.585389][ T7731] stack backtrace: [ 53.591259][ T7731] CPU: 0 PID: 7731 Comm: syz-executor392 Not tainted 5.1.0-rc3+ #47 [ 53.599419][ T7731] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.609555][ T7731] Call Trace: [ 53.612822][ T7731] dump_stack+0x172/0x1f0 [ 53.617183][ T7731] print_irq_inversion_bug.part.0+0x2c0/0x2cd [ 53.623237][ T7731] check_usage_backwards.cold+0x1d/0x26 [ 53.628753][ T7731] ? print_shortest_lock_dependencies+0x90/0x90 [ 53.634964][ T7731] ? save_stack_trace+0x1a/0x20 [ 53.639783][ T7731] mark_lock+0x427/0x1380 [ 53.644095][ T7731] ? print_shortest_lock_dependencies+0x90/0x90 [ 53.650348][ T7731] __lock_acquire+0x1317/0x3fb0 [ 53.655172][ T7731] ? trace_hardirqs_off+0x62/0x220 [ 53.660253][ T7731] ? kasan_check_read+0x11/0x20 [ 53.665082][ T7731] ? mark_held_locks+0xf0/0xf0 [ 53.669839][ T7731] ? save_stack+0xa9/0xd0 [ 53.674211][ T7731] ? save_stack+0x45/0xd0 [ 53.678523][ T7731] ? __kasan_slab_free+0x102/0x150 [ 53.683723][ T7731] ? kasan_slab_free+0xe/0x10 [ 53.688384][ T7731] ? kmem_cache_free+0x86/0x260 [ 53.693207][ T7731] ? free_fs_struct+0x4f/0x70 [ 53.697915][ T7731] ? exit_fs+0xf0/0x130 [ 53.702691][ T7731] lock_acquire+0x16f/0x3f0 [ 53.707174][ T7731] ? userfaultfd_release+0x48e/0x6d0 [ 53.712433][ T7731] _raw_spin_lock+0x2f/0x40 [ 53.716962][ T7731] ? userfaultfd_release+0x48e/0x6d0 [ 53.722233][ T7731] userfaultfd_release+0x48e/0x6d0 [ 53.727370][ T7731] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 53.733288][ T7731] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 53.739509][ T7731] ? ima_file_free+0xc9/0x4a0 [ 53.744153][ T7731] ? __might_sleep+0x95/0x190 [ 53.748799][ T7731] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 53.754612][ T7731] __fput+0x2e5/0x8d0 [ 53.758581][ T7731] ____fput+0x16/0x20 [ 53.762549][ T7731] task_work_run+0x14a/0x1c0 [ 53.767287][ T7731] do_exit+0x90a/0x2fa0 [ 53.771414][ T7731] ? get_signal+0x331/0x1d50 [ 53.775978][ T7731] ? mm_update_next_owner+0x640/0x640 [ 53.781323][ T7731] ? kasan_check_write+0x14/0x20 [ 53.786262][ T7731] ? _raw_spin_unlock_irq+0x28/0x90 [ 53.791426][ T7731] ? get_signal+0x331/0x1d50 [ 53.796048][ T7731] ? _raw_spin_unlock_irq+0x28/0x90 [ 53.801295][ T7731] do_group_exit+0x135/0x370 [ 53.805859][ T7731] get_signal+0x399/0x1d50 [ 53.810265][ T7731] ? __ia32_compat_sys_io_submit+0x2fe/0x570 [ 53.816229][ T7731] do_signal+0x87/0x1940 [ 53.820444][ T7731] ? lock_downgrade+0x880/0x880 [ 53.825260][ T7731] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.831585][ T7731] ? setup_sigcontext+0x7d0/0x7d0 [ 53.836607][ T7731] ? exit_to_usermode_loop+0x43/0x2c0 [ 53.841950][ T7731] ? do_fast_syscall_32+0xa9d/0xc98 [ 53.847158][ T7731] ? exit_to_usermode_loop+0x43/0x2c0 [ 53.852502][ T7731] ? lockdep_hardirqs_on+0x418/0x5d0 [ 53.857798][ T7731] ? trace_hardirqs_on+0x67/0x230 [ 53.862795][ T7731] exit_to_usermode_loop+0x244/0x2c0 [ 53.868062][ T7731] do_fast_syscall_32+0xa9d/0xc98 [ 53.873061][ T7731] entry_SYSENTER_compat+0x70/0x7f [ 53.878150][ T7731] RIP: 0023:0xf7ff9869 [ 53.882196][ T7731] Code: Bad RIP value. [ 53.886233][ T7731] RSP: 002b:00000000f7fd41ec EFLAGS: 00000296 ORIG_RAX: 00000000000000f0 [ 53.894625][ T7731] RAX: fffffffffffffe00 RBX: 00000000080fb018 RCX: 0000000000000080 [ 53.902672][ T7731] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000f7f88000 [ 53.910635][ T7731] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 [ 53.918576][ T7731] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 53.926521