[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 70.664969][ T24] audit: type=1800 audit(1560753232.398:25): pid=8707 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 70.686487][ T24] audit: type=1800 audit(1560753232.398:26): pid=8707 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 70.745115][ T24] audit: type=1800 audit(1560753232.398:27): pid=8707 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.187' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 86.977386][ T8863] [ 86.979764][ T8863] ======================================================== [ 86.987110][ T8863] WARNING: possible irq lock inversion dependency detected [ 86.994568][ T8863] 5.2.0-rc4+ #27 Not tainted [ 86.999494][ T8863] -------------------------------------------------------- [ 87.006870][ T8863] syz-executor104/8863 just changed the state of lock: [ 87.013877][ T8863] 00000000ee039e9f (&ctx->fault_pending_wqh){+.+.}, at: userfaultfd_release+0x4ca/0x710 [ 87.023777][ T8863] but this lock was taken by another, SOFTIRQ-safe lock in the past: [ 87.032018][ T8863] (&(&ctx->ctx_lock)->rlock){..-.} [ 87.032029][ T8863] [ 87.032029][ T8863] [ 87.032029][ T8863] and interrupts could create inverse lock ordering between them. [ 87.032029][ T8863] [ 87.052882][ T8863] [ 87.052882][ T8863] other info that might help us debug this: [ 87.061378][ T8863] Chain exists of: [ 87.061378][ T8863] &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh [ 87.061378][ T8863] [ 87.075700][ T8863] Possible interrupt unsafe locking scenario: [ 87.075700][ T8863] [ 87.084174][ T8863] CPU0 CPU1 [ 87.089671][ T8863] ---- ---- [ 87.095033][ T8863] lock(&ctx->fault_pending_wqh); [ 87.100426][ T8863] local_irq_disable(); [ 87.107302][ T8863] lock(&(&ctx->ctx_lock)->rlock); [ 87.115129][ T8863] lock(&ctx->fd_wqh); [ 87.121870][ T8863] [ 87.125332][ T8863] lock(&(&ctx->ctx_lock)->rlock); [ 87.130977][ T8863] [ 87.130977][ T8863] *** DEADLOCK *** [ 87.130977][ T8863] [ 87.139238][ T8863] no locks held by syz-executor104/8863. [ 87.144851][ T8863] [ 87.144851][ T8863] the shortest dependencies between 2nd lock and 1st lock: [ 87.154586][ T8863] -> (&(&ctx->ctx_lock)->rlock){..-.} { [ 87.160308][ T8863] IN-SOFTIRQ-W at: [ 87.164616][ T8863] lock_acquire+0x16f/0x3f0 [ 87.171165][ T8863] _raw_spin_lock_irq+0x60/0x80 [ 87.178039][ T8863] free_ioctx_users+0x2d/0x490 [ 87.184849][ T8863] percpu_ref_switch_to_atomic_rcu+0x407/0x540 [ 87.193056][ T8863] rcu_core+0xba5/0x1500 [ 87.199335][ T8863] __do_softirq+0x25c/0x94c [ 87.205958][ T8863] irq_exit+0x180/0x1d0 [ 87.212133][ T8863] smp_apic_timer_interrupt+0x13b/0x550 [ 87.219882][ T8863] apic_timer_interrupt+0xf/0x20 [ 87.226824][ T8863] native_safe_halt+0xe/0x10 [ 87.233803][ T8863] arch_cpu_idle+0xa/0x10 [ 87.240244][ T8863] default_idle_call+0x36/0x90 [ 87.247126][ T8863] do_idle+0x377/0x560 [ 87.253337][ T8863] cpu_startup_entry+0x1b/0x20 [ 87.260474][ T8863] rest_init+0x245/0x37b [ 87.266769][ T8863] arch_call_rest_init+0xe/0x1b [ 87.273805][ T8863] start_kernel+0x854/0x893 [ 87.280499][ T8863] x86_64_start_reservations+0x29/0x2b [ 87.288095][ T8863] x86_64_start_kernel+0x77/0x7b [ 87.295253][ T8863] secondary_startup_64+0xa4/0xb0 [ 87.302494][ T8863] INITIAL USE at: [ 87.306606][ T8863] lock_acquire+0x16f/0x3f0 [ 87.313145][ T8863] _raw_spin_lock_irq+0x60/0x80 [ 87.320015][ T8863] io_submit_one+0xeb5/0x2ef0 [ 87.326630][ T8863] __ia32_compat_sys_io_submit+0x1bf/0x570 [ 87.334508][ T8863] do_fast_syscall_32+0x27b/0xd7d [ 87.341684][ T8863] entry_SYSENTER_compat+0x70/0x7f [ 87.348797][ T8863] } [ 87.351626][ T8863] ... key at: [] __key.53428+0x0/0x40 [ 87.359249][ T8863] ... acquired at: [ 87.363245][ T8863] _raw_spin_lock+0x2f/0x40 [ 87.368030][ T8863] io_submit_one+0xefa/0x2ef0 [ 87.372888][ T8863] __ia32_compat_sys_io_submit+0x1bf/0x570 [ 87.378967][ T8863] do_fast_syscall_32+0x27b/0xd7d [ 87.384258][ T8863] entry_SYSENTER_compat+0x70/0x7f [ 87.389614][ T8863] [ 87.391938][ T8863] -> (&ctx->fd_wqh){....} { [ 87.396527][ T8863] INITIAL USE at: [ 87.400524][ T8863] lock_acquire+0x16f/0x3f0 [ 87.406884][ T8863] _raw_spin_lock_irq+0x60/0x80 [ 87.413543][ T8863] userfaultfd_read+0x27a/0x1940 [ 87.420265][ T8863] __vfs_read+0x8a/0x110 [ 87.426247][ T8863] vfs_read+0x194/0x3e0 [ 87.432313][ T8863] ksys_read+0x14f/0x290 [ 87.438300][ T8863] __ia32_sys_read+0x71/0xb0 [ 87.444742][ T8863] do_fast_syscall_32+0x27b/0xd7d [ 87.451512][ T8863] entry_SYSENTER_compat+0x70/0x7f [ 87.458349][ T8863] } [ 87.460948][ T8863] ... key at: [] __key.46104+0x0/0x40 [ 87.468590][ T8863] ... acquired at: [ 87.472676][ T8863] _raw_spin_lock+0x2f/0x40 [ 87.477435][ T8863] userfaultfd_read+0x540/0x1940 [ 87.482647][ T8863] __vfs_read+0x8a/0x110 [ 87.487206][ T8863] vfs_read+0x194/0x3e0 [ 87.491554][ T8863] ksys_read+0x14f/0x290 [ 87.496152][ T8863] __ia32_sys_read+0x71/0xb0 [ 87.500920][ T8863] do_fast_syscall_32+0x27b/0xd7d [ 87.506113][ T8863] entry_SYSENTER_compat+0x70/0x7f [ 87.511388][ T8863] [ 87.513709][ T8863] -> (&ctx->fault_pending_wqh){+.+.} { [ 87.519162][ T8863] HARDIRQ-ON-W at: [ 87.523148][ T8863] lock_acquire+0x16f/0x3f0 [ 87.529307][ T8863] _raw_spin_lock+0x2f/0x40 [ 87.535851][ T8863] userfaultfd_release+0x4ca/0x710 [ 87.542735][ T8863] __fput+0x2ff/0x890 [ 87.548368][ T8863] ____fput+0x16/0x20 [ 87.554051][ T8863] task_work_run+0x145/0x1c0 [ 87.560522][ T8863] do_exit+0x90a/0x2fa0 [ 87.566336][ T8863] do_group_exit+0x135/0x370 [ 87.572580][ T8863] get_signal+0x471/0x24b0 [ 87.578664][ T8863] do_signal+0x87/0x1900 [ 87.584691][ T8863] exit_to_usermode_loop+0x244/0x2c0 [ 87.591639][ T8863] do_fast_syscall_32+0xb51/0xd7d [ 87.598316][ T8863] entry_SYSENTER_compat+0x70/0x7f [ 87.605312][ T8863] SOFTIRQ-ON-W at: [ 87.609303][ T8863] lock_acquire+0x16f/0x3f0 [ 87.615587][ T8863] _raw_spin_lock+0x2f/0x40 [ 87.621797][ T8863] userfaultfd_release+0x4ca/0x710 [ 87.628846][ T8863] __fput+0x2ff/0x890 [ 87.634572][ T8863] ____fput+0x16/0x20 [ 87.640213][ T8863] task_work_run+0x145/0x1c0 [ 87.646559][ T8863] do_exit+0x90a/0x2fa0 [ 87.652517][ T8863] do_group_exit+0x135/0x370 [ 87.658768][ T8863] get_signal+0x471/0x24b0 [ 87.664848][ T8863] do_signal+0x87/0x1900 [ 87.670764][ T8863] exit_to_usermode_loop+0x244/0x2c0 [ 87.677706][ T8863] do_fast_syscall_32+0xb51/0xd7d [ 87.684392][ T8863] entry_SYSENTER_compat+0x70/0x7f [ 87.691148][ T8863] INITIAL USE at: [ 87.695096][ T8863] lock_acquire+0x16f/0x3f0 [ 87.701314][ T8863] _raw_spin_lock+0x2f/0x40 [ 87.708041][ T8863] userfaultfd_read+0x540/0x1940 [ 87.714651][ T8863] __vfs_read+0x8a/0x110 [ 87.720469][ T8863] vfs_read+0x194/0x3e0 [ 87.726238][ T8863] ksys_read+0x14f/0x290 [ 87.732043][ T8863] __ia32_sys_read+0x71/0xb0 [ 87.738245][ T8863] do_fast_syscall_32+0x27b/0xd7d [ 87.745302][ T8863] entry_SYSENTER_compat+0x70/0x7f [ 87.751972][ T8863] } [ 87.754557][ T8863] ... key at: [] __key.46101+0x0/0x40 [ 87.762222][ T8863] ... acquired at: [ 87.766042][ T8863] mark_lock+0x420/0x1370 [ 87.770553][ T8863] __lock_acquire+0x12df/0x5490 [ 87.775600][ T8863] lock_acquire+0x16f/0x3f0 [ 87.780291][ T8863] _raw_spin_lock+0x2f/0x40 [ 87.785110][ T8863] userfaultfd_release+0x4ca/0x710 [ 87.790404][ T8863] __fput+0x2ff/0x890 [ 87.794569][ T8863] ____fput+0x16/0x20 [ 87.798825][ T8863] task_work_run+0x145/0x1c0 [ 87.803673][ T8863] do_exit+0x90a/0x2fa0 [ 87.808035][ T8863] do_group_exit+0x135/0x370 [ 87.812821][ T8863] get_signal+0x471/0x24b0 [ 87.817406][ T8863] do_signal+0x87/0x1900 [ 87.821827][ T8863] exit_to_usermode_loop+0x244/0x2c0 [ 87.827413][ T8863] do_fast_syscall_32+0xb51/0xd7d [ 87.832739][ T8863] entry_SYSENTER_compat+0x70/0x7f [ 87.838005][ T8863] [ 87.840322][ T8863] [ 87.840322][ T8863] stack backtrace: [ 87.846319][ T8863] CPU: 0 PID: 8863 Comm: syz-executor104 Not tainted 5.2.0-rc4+ #27 [ 87.854292][ T8863] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 87.864480][ T8863] Call Trace: [ 87.867801][ T8863] dump_stack+0x172/0x1f0 [ 87.872184][ T8863] print_irq_inversion_bug.part.0+0x2c5/0x2d2 [ 87.878553][ T8863] check_usage_backwards.cold+0x1d/0x26 [ 87.884277][ T8863] ? print_shortest_lock_dependencies+0x90/0x90 [ 87.890640][ T8863] ? stack_trace_save+0xac/0xe0 [ 87.895527][ T8863] ? stack_trace_consume_entry+0x190/0x190 [ 87.901673][ T8863] ? kasan_check_write+0x14/0x20 [ 87.906672][ T8863] ? graph_lock+0x7b/0x200 [ 87.911102][ T8863] ? __lockdep_reset_lock+0x450/0x450 [ 87.916478][ T8863] mark_lock+0x420/0x1370 [ 87.920866][ T8863] ? print_shortest_lock_dependencies+0x90/0x90 [ 87.927210][ T8863] __lock_acquire+0x12df/0x5490 [ 87.932070][ T8863] ? kasan_check_write+0x14/0x20 [ 87.937137][ T8863] ? mark_held_locks+0xf0/0xf0 [ 87.942145][ T8863] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 87.952665][ T8863] ? stack_depot_save+0x25a/0x450 [ 87.957952][ T8863] lock_acquire+0x16f/0x3f0 [ 87.962582][ T8863] ? userfaultfd_release+0x4ca/0x710 [ 87.967877][ T8863] _raw_spin_lock+0x2f/0x40 [ 87.972859][ T8863] ? userfaultfd_release+0x4ca/0x710 [ 87.978161][ T8863] userfaultfd_release+0x4ca/0x710 [ 87.983422][ T8863] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 87.989735][ T8863] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 87.996014][ T8863] ? ima_file_free+0xc9/0x4a0 [ 88.000816][ T8863] __fput+0x2ff/0x890 [ 88.004805][ T8863] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 88.010789][ T8863] ____fput+0x16/0x20 [ 88.014784][ T8863] task_work_run+0x145/0x1c0 [ 88.019383][ T8863] do_exit+0x90a/0x2fa0 [ 88.023599][ T8863] ? get_signal+0x387/0x24b0 [ 88.028205][ T8863] ? mm_update_next_owner+0x640/0x640 [ 88.033587][ T8863] ? kasan_check_write+0x14/0x20 [ 88.038660][ T8863] ? _raw_spin_unlock_irq+0x28/0x90 [ 88.043859][ T8863] ? get_signal+0x387/0x24b0 [ 88.048482][ T8863] ? _raw_spin_unlock_irq+0x28/0x90 [ 88.053697][ T8863] do_group_exit+0x135/0x370 [ 88.058393][ T8863] get_signal+0x471/0x24b0 [ 88.062935][ T8863] ? exit_robust_list+0x2c0/0x2c0 [ 88.067970][ T8863] ? __ia32_compat_sys_io_submit+0x303/0x570 [ 88.073961][ T8863] do_signal+0x87/0x1900 [ 88.078338][ T8863] ? lock_downgrade+0x880/0x880 [ 88.083200][ T8863] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 88.089578][ T8863] ? setup_sigcontext+0x7d0/0x7d0 [ 88.094678][ T8863] ? exit_to_usermode_loop+0x43/0x2c0 [ 88.100074][ T8863] ? do_fast_syscall_32+0xb51/0xd7d [ 88.105277][ T8863] ? exit_to_usermode_loop+0x43/0x2c0 [ 88.110775][ T8863] ? lockdep_hardirqs_on+0x418/0x5d0 [ 88.116164][ T8863] ? trace_hardirqs_on+0x67/0x220 [ 88.121360][ T8863] exit_to_usermode_loop+0x244/0x2c0 [ 88.126757][ T8863] do_fast_syscall_32+0xb51/0xd7d [ 88.131996][ T8863] entry_SYSENTER_compat+0x70/0x7f [ 88.137121][ T8863] RIP: 0023:0xf7fd9849 [ 88.141197][ T8863] Code: Bad RIP value. [ 88.145366][ T8863] RSP: 002b:00000000f7fb41ec EFLAGS: 00000296 ORIG_RAX: 00000000000000f0 [ 88.153893][ T8863] RAX: fffffffffffffe00 RBX: 00000000080fb018 RCX: 0000000000000080 [ 88.161877][ T8863] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000f7f93000 [ 88.170142][ T8863] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 [ 88.178117][ T8863] R10: 0000000000000000 R11: 0000