[ 37.513522][ T27] audit: type=1800 audit(1554226137.643:27): pid=7577 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[ 37.540203][ T27] audit: type=1800 audit(1554226137.653:28): pid=7577 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0
[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[ 38.349044][ T27] audit: type=1800 audit(1554226138.533:29): pid=7577 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0
[ 38.369327][ T27] audit: type=1800 audit(1554226138.543:30): pid=7577 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0
Debian GNU/Linux 7 syzkaller ttyS0
Warning: Permanently added '10.128.0.111' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [ 52.722310][ T7731]
[ 52.724654][ T7731] ========================================================
[ 52.732122][ T7731] WARNING: possible irq lock inversion dependency detected
[ 52.739433][ T7731] 5.1.0-rc3+ #47 Not tainted
[ 52.744108][ T7731] --------------------------------------------------------
[ 52.751325][ T7731] syz-executor392/7731 just changed the state of lock:
[ 52.758152][ T7731] 000000001b7d4672 (&ctx->fault_pending_wqh){+.+.}, at: userfaultfd_release+0x48e/0x6d0
[ 52.767869][ T7731] but this lock was taken by another, SOFTIRQ-safe lock in the past:
[ 52.775899][ T7731] (&(&ctx->ctx_lock)->rlock){..-.}
[ 52.775906][ T7731]
[ 52.775906][ T7731]
[ 52.775906][ T7731] and interrupts could create inverse lock ordering between them.
[ 52.775906][ T7731]
[ 52.795358][ T7731]
[ 52.795358][ T7731] other info that might help us debug this:
[ 52.803427][ T7731] Chain exists of:
[ 52.803427][ T7731] &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh
[ 52.803427][ T7731]
[ 52.817730][ T7731] Possible interrupt unsafe locking scenario:
[ 52.817730][ T7731]
[ 52.826020][ T7731] CPU0 CPU1
[ 52.831357][ T7731] ---- ----
[ 52.836695][ T7731] lock(&ctx->fault_pending_wqh);
[ 52.841781][ T7731] local_irq_disable();
[ 52.848666][ T7731] lock(&(&ctx->ctx_lock)->rlock);
[ 52.856424][ T7731] lock(&ctx->fd_wqh);
[ 52.863095][ T7731] <Interrupt>
[ 52.866656][ T7731] lock(&(&ctx->ctx_lock)->rlock);
[ 52.871999][ T7731]
[ 52.871999][ T7731] *** DEADLOCK ***
[ 52.871999][ T7731]
[ 52.880244][ T7731] no locks held by syz-executor392/7731.
[ 52.885842][ T7731]
[ 52.885842][ T7731] the shortest dependencies between 2nd lock and 1st lock:
[ 52.895503][ T7731] -> (&(&ctx->ctx_lock)->rlock){..-.} {
[ 52.901253][ T7731] IN-SOFTIRQ-W at:
[ 52.905393][ T7731] lock_acquire+0x16f/0x3f0
[ 52.911882][ T7731] _raw_spin_lock_irq+0x60/0x80
[ 52.918703][ T7731] free_ioctx_users+0x2d/0x4a0
[ 52.925432][ T7731] percpu_ref_switch_to_atomic_rcu+0x3e7/0x520
[ 52.933622][ T7731] rcu_core+0x928/0x1390
[ 52.939836][ T7731] __do_softirq+0x266/0x95a
[ 52.946305][ T7731] irq_exit+0x180/0x1d0
[ 52.952423][ T7731] smp_apic_timer_interrupt+0x14a/0x570
[ 52.960167][ T7731] apic_timer_interrupt+0xf/0x20
[ 52.967095][ T7731] native_safe_halt+0x2/0x10
[ 52.973880][ T7731] arch_cpu_idle+0x10/0x20
[ 52.980530][ T7731] default_idle_call+0x36/0x90
[ 52.987273][ T7731] do_idle+0x386/0x570
[ 52.993648][ T7731] cpu_startup_entry+0x1b/0x20
[ 53.000634][ T7731] rest_init+0x245/0x37b
[ 53.006849][ T7731] arch_call_rest_init+0xe/0x1b
[ 53.013806][ T7731] start_kernel+0x816/0x84f
[ 53.020598][ T7731] x86_64_start_reservations+0x29/0x2b
[ 53.028027][ T7731] x86_64_start_kernel+0x77/0x7b
[ 53.034944][ T7731] secondary_startup_64+0xa4/0xb0
[ 53.042012][ T7731] INITIAL USE at:
[ 53.046057][ T7731] lock_acquire+0x16f/0x3f0
[ 53.052438][ T7731] _raw_spin_lock_irq+0x60/0x80
[ 53.059424][ T7731] io_submit_one+0xaec/0x2f90
[ 53.066107][ T7731] __ia32_compat_sys_io_submit+0x1be/0x570
[ 53.073799][ T7731] do_fast_syscall_32+0x281/0xc98
[ 53.080815][ T7731] entry_SYSENTER_compat+0x70/0x7f
[ 53.089322][ T7731] }
[ 53.092441][ T7731] ... key at: [<ffffffff8a5e8ea0>] __key.52649+0x0/0x40
[ 53.100100][ T7731] ... acquired at:
[ 53.104062][ T7731] lock_acquire+0x16f/0x3f0
[ 53.108711][ T7731] _raw_spin_lock+0x2f/0x40
[ 53.113464][ T7731] io_submit_one+0xb31/0x2f90
[ 53.118303][ T7731] __ia32_compat_sys_io_submit+0x1be/0x570
[ 53.124482][ T7731] do_fast_syscall_32+0x281/0xc98
[ 53.129743][ T7731] entry_SYSENTER_compat+0x70/0x7f
[ 53.135008][ T7731]
[ 53.137428][ T7731] -> (&ctx->fd_wqh){....} {
[ 53.142224][ T7731] INITIAL USE at:
[ 53.146177][ T7731] lock_acquire+0x16f/0x3f0
[ 53.152694][ T7731] _raw_spin_lock_irq+0x60/0x80
[ 53.159320][ T7731] userfaultfd_read+0x27a/0x1940
[ 53.165969][ T7731] __vfs_read+0x8d/0x110
[ 53.172077][ T7731] vfs_read+0x194/0x3e0
[ 53.178044][ T7731] ksys_read+0xea/0x1f0
[ 53.183913][ T7731] __ia32_sys_read+0x71/0xb0
[ 53.190227][ T7731] do_fast_syscall_32+0x281/0xc98
[ 53.196965][ T7731] entry_SYSENTER_compat+0x70/0x7f
[ 53.203787][ T7731] }
[ 53.206353][ T7731] ... key at: [<ffffffff8a5e8c20>] __key.45459+0x0/0x40
[ 53.213865][ T7731] ... acquired at:
[ 53.217729][ T7731] lock_acquire+0x16f/0x3f0
[ 53.222559][ T7731] _raw_spin_lock+0x2f/0x40
[ 53.227205][ T7731] userfaultfd_read+0x540/0x1940
[ 53.232380][ T7731] __vfs_read+0x8d/0x110
[ 53.236865][ T7731] vfs_read+0x194/0x3e0
[ 53.241217][ T7731] ksys_read+0xea/0x1f0
[ 53.245519][ T7731] __ia32_sys_read+0x71/0xb0
[ 53.250350][ T7731] do_fast_syscall_32+0x281/0xc98
[ 53.255519][ T7731] entry_SYSENTER_compat+0x70/0x7f
[ 53.260770][ T7731]
[ 53.263080][ T7731] -> (&ctx->fault_pending_wqh){+.+.} {
[ 53.268551][ T7731] HARDIRQ-ON-W at:
[ 53.272510][ T7731] lock_acquire+0x16f/0x3f0
[ 53.278653][ T7731] _raw_spin_lock+0x2f/0x40
[ 53.284769][ T7731] userfaultfd_release+0x48e/0x6d0
[ 53.291722][ T7731] __fput+0x2e5/0x8d0
[ 53.297325][ T7731] ____fput+0x16/0x20
[ 53.303066][ T7731] task_work_run+0x14a/0x1c0
[ 53.309282][ T7731] do_exit+0x90a/0x2fa0
[ 53.315072][ T7731] do_group_exit+0x135/0x370
[ 53.321339][ T7731] get_signal+0x399/0x1d50
[ 53.327382][ T7731] do_signal+0x87/0x1940
[ 53.333250][ T7731] exit_to_usermode_loop+0x244/0x2c0
[ 53.340159][ T7731] do_fast_syscall_32+0xa9d/0xc98
[ 53.346935][ T7731] entry_SYSENTER_compat+0x70/0x7f
[ 53.353681][ T7731] SOFTIRQ-ON-W at:
[ 53.357637][ T7731] lock_acquire+0x16f/0x3f0
[ 53.363814][ T7731] _raw_spin_lock+0x2f/0x40
[ 53.369942][ T7731] userfaultfd_release+0x48e/0x6d0
[ 53.376692][ T7731] __fput+0x2e5/0x8d0
[ 53.382295][ T7731] ____fput+0x16/0x20
[ 53.387894][ T7731] task_work_run+0x14a/0x1c0
[ 53.394246][ T7731] do_exit+0x90a/0x2fa0
[ 53.400077][ T7731] do_group_exit+0x135/0x370
[ 53.406288][ T7731] get_signal+0x399/0x1d50
[ 53.412325][ T7731] do_signal+0x87/0x1940
[ 53.418186][ T7731] exit_to_usermode_loop+0x244/0x2c0
[ 53.425124][ T7731] do_fast_syscall_32+0xa9d/0xc98
[ 53.431867][ T7731] entry_SYSENTER_compat+0x70/0x7f
[ 53.438591][ T7731] INITIAL USE at:
[ 53.442452][ T7731] lock_acquire+0x16f/0x3f0
[ 53.448546][ T7731] _raw_spin_lock+0x2f/0x40
[ 53.454585][ T7731] userfaultfd_read+0x540/0x1940
[ 53.461100][ T7731] __vfs_read+0x8d/0x110
[ 53.466879][ T7731] vfs_read+0x194/0x3e0
[ 53.472564][ T7731] ksys_read+0xea/0x1f0
[ 53.478263][ T7731] __ia32_sys_read+0x71/0xb0
[ 53.484620][ T7731] do_fast_syscall_32+0x281/0xc98
[ 53.491296][ T7731] entry_SYSENTER_compat+0x70/0x7f
[ 53.497951][ T7731] }
[ 53.500433][ T7731] ... key at: [<ffffffff8a5e8ce0>] __key.45456+0x0/0x40
[ 53.507871][ T7731] ... acquired at:
[ 53.511665][ T7731] mark_lock+0x427/0x1380
[ 53.516144][ T7731] __lock_acquire+0x1317/0x3fb0
[ 53.521138][ T7731] lock_acquire+0x16f/0x3f0
[ 53.525791][ T7731] _raw_spin_lock+0x2f/0x40
[ 53.530443][ T7731] userfaultfd_release+0x48e/0x6d0
[ 53.535696][ T7731] __fput+0x2e5/0x8d0
[ 53.540106][ T7731] ____fput+0x16/0x20
[ 53.544235][ T7731] task_work_run+0x14a/0x1c0
[ 53.549130][ T7731] do_exit+0x90a/0x2fa0
[ 53.553431][ T7731] do_group_exit+0x135/0x370
[ 53.558293][ T7731] get_signal+0x399/0x1d50
[ 53.562852][ T7731] do_signal+0x87/0x1940
[ 53.567237][ T7731] exit_to_usermode_loop+0x244/0x2c0
[ 53.572669][ T7731] do_fast_syscall_32+0xa9d/0xc98
[ 53.577834][ T7731] entry_SYSENTER_compat+0x70/0x7f
[ 53.583093][ T7731]
[ 53.585389][ T7731]
[ 53.585389][ T7731] stack backtrace:
[ 53.591259][ T7731] CPU: 0 PID: 7731 Comm: syz-executor392 Not tainted 5.1.0-rc3+ #47
[ 53.599419][ T7731] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 53.609555][ T7731] Call Trace:
[ 53.612822][ T7731] dump_stack+0x172/0x1f0
[ 53.617183][ T7731] print_irq_inversion_bug.part.0+0x2c0/0x2cd
[ 53.623237][ T7731] check_usage_backwards.cold+0x1d/0x26
[ 53.628753][ T7731] ? print_shortest_lock_dependencies+0x90/0x90
[ 53.634964][ T7731] ? save_stack_trace+0x1a/0x20
[ 53.639783][ T7731] mark_lock+0x427/0x1380
[ 53.644095][ T7731] ? print_shortest_lock_dependencies+0x90/0x90
[ 53.650348][ T7731] __lock_acquire+0x1317/0x3fb0
[ 53.655172][ T7731] ? trace_hardirqs_off+0x62/0x220
[ 53.660253][ T7731] ? kasan_check_read+0x11/0x20
[ 53.665082][ T7731] ? mark_held_locks+0xf0/0xf0
[ 53.669839][ T7731] ? save_stack+0xa9/0xd0
[ 53.674211][ T7731] ? save_stack+0x45/0xd0
[ 53.678523][ T7731] ? __kasan_slab_free+0x102/0x150
[ 53.683723][ T7731] ? kasan_slab_free+0xe/0x10
[ 53.688384][ T7731] ? kmem_cache_free+0x86/0x260
[ 53.693207][ T7731] ? free_fs_struct+0x4f/0x70
[ 53.697915][ T7731] ? exit_fs+0xf0/0x130
[ 53.702691][ T7731] lock_acquire+0x16f/0x3f0
[ 53.707174][ T7731] ? userfaultfd_release+0x48e/0x6d0
[ 53.712433][ T7731] _raw_spin_lock+0x2f/0x40
[ 53.716962][ T7731] ? userfaultfd_release+0x48e/0x6d0
[ 53.722233][ T7731] userfaultfd_release+0x48e/0x6d0
[ 53.727370][ T7731] ? userfaultfd_wake_function+0x2f0/0x2f0
[ 53.733288][ T7731] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[ 53.739509][ T7731] ? ima_file_free+0xc9/0x4a0
[ 53.744153][ T7731] ? __might_sleep+0x95/0x190
[ 53.748799][ T7731] ? userfaultfd_wake_function+0x2f0/0x2f0
[ 53.754612][ T7731] __fput+0x2e5/0x8d0
[ 53.758581][ T7731] ____fput+0x16/0x20
[ 53.762549][ T7731] task_work_run+0x14a/0x1c0
[ 53.767287][ T7731] do_exit+0x90a/0x2fa0
[ 53.771414][ T7731] ? get_signal+0x331/0x1d50
[ 53.775978][ T7731] ? mm_update_next_owner+0x640/0x640
[ 53.781323][ T7731] ? kasan_check_write+0x14/0x20
[ 53.786262][ T7731] ? _raw_spin_unlock_irq+0x28/0x90
[ 53.791426][ T7731] ? get_signal+0x331/0x1d50
[ 53.796048][ T7731] ? _raw_spin_unlock_irq+0x28/0x90
[ 53.801295][ T7731] do_group_exit+0x135/0x370
[ 53.805859][ T7731] get_signal+0x399/0x1d50
[ 53.810265][ T7731] ? __ia32_compat_sys_io_submit+0x2fe/0x570
[ 53.816229][ T7731] do_signal+0x87/0x1940
[ 53.820444][ T7731] ? lock_downgrade+0x880/0x880
[ 53.825260][ T7731] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 53.831585][ T7731] ? setup_sigcontext+0x7d0/0x7d0
[ 53.836607][ T7731] ? exit_to_usermode_loop+0x43/0x2c0
[ 53.841950][ T7731] ? do_fast_syscall_32+0xa9d/0xc98
[ 53.847158][ T7731] ? exit_to_usermode_loop+0x43/0x2c0
[ 53.852502][ T7731] ? lockdep_hardirqs_on+0x418/0x5d0
[ 53.857798][ T7731] ? trace_hardirqs_on+0x67/0x230
[ 53.862795][ T7731] exit_to_usermode_loop+0x244/0x2c0
[ 53.868062][ T7731] do_fast_syscall_32+0xa9d/0xc98
[ 53.873061][ T7731] entry_SYSENTER_compat+0x70/0x7f
[ 53.878150][ T7731] RIP: 0023:0xf7ff9869
[ 53.882196][ T7731] Code: Bad RIP value.
[ 53.886233][ T7731] RSP: 002b:00000000f7fd41ec EFLAGS: 00000296 ORIG_RAX: 00000000000000f0
[ 53.894625][ T7731] RAX: fffffffffffffe00 RBX: 00000000080fb018 RCX: 0000000000000080
[ 53.902672][ T7731] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000f7f88000
[ 53.910635][ T7731] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
[ 53.918576][ T7731] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 53.926521