[ 39.478340][ T26] audit: type=1800 audit(1553813855.648:26): pid=7606 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 39.500629][ T26] audit: type=1800 audit(1553813855.648:27): pid=7606 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [ 39.541712][ T26] audit: type=1800 audit(1553813855.728:28): pid=7606 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 40.310615][ T26] audit: type=1800 audit(1553813856.498:29): pid=7606 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.24' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 56.728027][ T7757] [ 56.730592][ T7757] ======================================================== [ 56.737832][ T7757] WARNING: possible irq lock inversion dependency detected [ 56.746261][ T7757] 5.1.0-rc2+ #41 Not tainted [ 56.751371][ T7757] -------------------------------------------------------- [ 56.758874][ T7757] syz-executor013/7757 just changed the state of lock: [ 56.766839][ T7757] 000000005e91fe02 (&ctx->fault_pending_wqh){+.+.}, at: userfaultfd_release+0x48e/0x6d0 [ 56.779041][ T7757] but this lock was taken by another, SOFTIRQ-safe lock in the past: [ 56.788134][ T7757] (&(&ctx->ctx_lock)->rlock){..-.} [ 56.788143][ T7757] [ 56.788143][ T7757] [ 56.788143][ T7757] and interrupts could create inverse lock ordering between them. [ 56.788143][ T7757] [ 56.808094][ T7757] [ 56.808094][ T7757] other info that might help us debug this: [ 56.816142][ T7757] Chain exists of: [ 56.816142][ T7757] &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh [ 56.816142][ T7757] [ 56.831505][ T7757] Possible interrupt unsafe locking scenario: [ 56.831505][ T7757] [ 56.840651][ T7757] CPU0 CPU1 [ 56.846010][ T7757] ---- ---- [ 56.851358][ T7757] lock(&ctx->fault_pending_wqh); [ 56.856460][ T7757] local_irq_disable(); [ 56.863201][ T7757] lock(&(&ctx->ctx_lock)->rlock); [ 56.871226][ T7757] lock(&ctx->fd_wqh); [ 56.877935][ T7757] [ 56.881579][ T7757] lock(&(&ctx->ctx_lock)->rlock); [ 56.886932][ T7757] [ 56.886932][ T7757] *** DEADLOCK *** [ 56.886932][ T7757] [ 56.895229][ T7757] no locks held by syz-executor013/7757. [ 56.900852][ T7757] [ 56.900852][ T7757] the shortest dependencies between 2nd lock and 1st lock: [ 56.911363][ T7757] -> (&(&ctx->ctx_lock)->rlock){..-.} { [ 56.917305][ T7757] IN-SOFTIRQ-W at: [ 56.921498][ T7757] lock_acquire+0x16f/0x3f0 [ 56.928015][ T7757] _raw_spin_lock_irq+0x60/0x80 [ 56.935876][ T7757] free_ioctx_users+0x2d/0x4a0 [ 56.942762][ T7757] percpu_ref_switch_to_atomic_rcu+0x3e7/0x520 [ 56.950932][ T7757] rcu_core+0x928/0x1390 [ 56.957368][ T7757] __do_softirq+0x266/0x95a [ 56.964491][ T7757] irq_exit+0x180/0x1d0 [ 56.970724][ T7757] smp_apic_timer_interrupt+0x14a/0x570 [ 56.978699][ T7757] apic_timer_interrupt+0xf/0x20 [ 56.986222][ T7757] native_safe_halt+0x2/0x10 [ 56.992986][ T7757] arch_cpu_idle+0x10/0x20 [ 56.999518][ T7757] default_idle_call+0x36/0x90 [ 57.006305][ T7757] do_idle+0x386/0x570 [ 57.013412][ T7757] cpu_startup_entry+0x1b/0x20 [ 57.020163][ T7757] start_secondary+0x360/0x4d0 [ 57.027125][ T7757] secondary_startup_64+0xa4/0xb0 [ 57.034129][ T7757] INITIAL USE at: [ 57.038193][ T7757] lock_acquire+0x16f/0x3f0 [ 57.044858][ T7757] _raw_spin_lock_irq+0x60/0x80 [ 57.051958][ T7757] io_submit_one+0xe0c/0x1cf0 [ 57.058542][ T7757] __x64_sys_io_submit+0x1bd/0x580 [ 57.065645][ T7757] do_syscall_64+0x103/0x610 [ 57.072137][ T7757] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 57.079924][ T7757] } [ 57.082636][ T7757] ... key at: [] __key.52644+0x0/0x40 [ 57.090250][ T7757] ... acquired at: [ 57.094230][ T7757] lock_acquire+0x16f/0x3f0 [ 57.098907][ T7757] _raw_spin_lock+0x2f/0x40 [ 57.103571][ T7757] io_submit_one+0xe35/0x1cf0 [ 57.108404][ T7757] __x64_sys_io_submit+0x1bd/0x580 [ 57.113946][ T7757] do_syscall_64+0x103/0x610 [ 57.118699][ T7757] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 57.124789][ T7757] [ 57.127103][ T7757] -> (&ctx->fd_wqh){....} { [ 57.131679][ T7757] INITIAL USE at: [ 57.135708][ T7757] lock_acquire+0x16f/0x3f0 [ 57.141935][ T7757] _raw_spin_lock_irq+0x60/0x80 [ 57.148503][ T7757] userfaultfd_read+0x27a/0x1940 [ 57.155162][ T7757] do_iter_read+0x4a9/0x660 [ 57.161393][ T7757] vfs_readv+0xf0/0x160 [ 57.167272][ T7757] do_readv+0xf6/0x290 [ 57.173685][ T7757] __x64_sys_readv+0x75/0xb0 [ 57.180172][ T7757] do_syscall_64+0x103/0x610 [ 57.186562][ T7757] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 57.194180][ T7757] } [ 57.196760][ T7757] ... key at: [] __key.45453+0x0/0x40 [ 57.204285][ T7757] ... acquired at: [ 57.208170][ T7757] lock_acquire+0x16f/0x3f0 [ 57.213097][ T7757] _raw_spin_lock+0x2f/0x40 [ 57.218056][ T7757] userfaultfd_read+0x540/0x1940 [ 57.223508][ T7757] do_iter_read+0x4a9/0x660 [ 57.228181][ T7757] vfs_readv+0xf0/0x160 [ 57.232711][ T7757] do_readv+0xf6/0x290 [ 57.237123][ T7757] __x64_sys_readv+0x75/0xb0 [ 57.241887][ T7757] do_syscall_64+0x103/0x610 [ 57.246846][ T7757] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 57.252999][ T7757] [ 57.255314][ T7757] -> (&ctx->fault_pending_wqh){+.+.} { [ 57.260756][ T7757] HARDIRQ-ON-W at: [ 57.264729][ T7757] lock_acquire+0x16f/0x3f0 [ 57.270885][ T7757] _raw_spin_lock+0x2f/0x40 [ 57.277222][ T7757] userfaultfd_release+0x48e/0x6d0 [ 57.284285][ T7757] __fput+0x2e5/0x8d0 [ 57.289909][ T7757] ____fput+0x16/0x20 [ 57.295909][ T7757] task_work_run+0x14a/0x1c0 [ 57.302340][ T7757] do_exit+0x90a/0x2fa0 [ 57.308267][ T7757] do_group_exit+0x135/0x370 [ 57.314510][ T7757] __x64_sys_exit_group+0x44/0x50 [ 57.323005][ T7757] do_syscall_64+0x103/0x610 [ 57.329695][ T7757] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 57.337826][ T7757] SOFTIRQ-ON-W at: [ 57.341945][ T7757] lock_acquire+0x16f/0x3f0 [ 57.349915][ T7757] _raw_spin_lock+0x2f/0x40 [ 57.356152][ T7757] userfaultfd_release+0x48e/0x6d0 [ 57.362907][ T7757] __fput+0x2e5/0x8d0 [ 57.368795][ T7757] ____fput+0x16/0x20 [ 57.375127][ T7757] task_work_run+0x14a/0x1c0 [ 57.381362][ T7757] do_exit+0x90a/0x2fa0 [ 57.387151][ T7757] do_group_exit+0x135/0x370 [ 57.393376][ T7757] __x64_sys_exit_group+0x44/0x50 [ 57.400088][ T7757] do_syscall_64+0x103/0x610 [ 57.406478][ T7757] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 57.414274][ T7757] INITIAL USE at: [ 57.418158][ T7757] lock_acquire+0x16f/0x3f0 [ 57.424346][ T7757] _raw_spin_lock+0x2f/0x40 [ 57.430496][ T7757] userfaultfd_read+0x540/0x1940 [ 57.436999][ T7757] do_iter_read+0x4a9/0x660 [ 57.443054][ T7757] vfs_readv+0xf0/0x160 [ 57.448761][ T7757] do_readv+0xf6/0x290 [ 57.454376][ T7757] __x64_sys_readv+0x75/0xb0 [ 57.460524][ T7757] do_syscall_64+0x103/0x610 [ 57.466662][ T7757] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 57.474093][ T7757] } [ 57.476586][ T7757] ... key at: [] __key.45450+0x0/0x40 [ 57.484122][ T7757] ... acquired at: [ 57.487935][ T7757] mark_lock+0x427/0x1380 [ 57.492430][ T7757] __lock_acquire+0x1317/0x3fb0 [ 57.497440][ T7757] lock_acquire+0x16f/0x3f0 [ 57.502102][ T7757] _raw_spin_lock+0x2f/0x40 [ 57.506769][ T7757] userfaultfd_release+0x48e/0x6d0 [ 57.512128][ T7757] __fput+0x2e5/0x8d0 [ 57.516271][ T7757] ____fput+0x16/0x20 [ 57.520424][ T7757] task_work_run+0x14a/0x1c0 [ 57.525263][ T7757] do_exit+0x90a/0x2fa0 [ 57.529701][ T7757] do_group_exit+0x135/0x370 [ 57.534468][ T7757] __x64_sys_exit_group+0x44/0x50 [ 57.539661][ T7757] do_syscall_64+0x103/0x610 [ 57.544425][ T7757] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 57.550476][ T7757] [ 57.552787][ T7757] [ 57.552787][ T7757] stack backtrace: [ 57.558676][ T7757] CPU: 1 PID: 7757 Comm: syz-executor013 Not tainted 5.1.0-rc2+ #41 [ 57.566695][ T7757] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 57.576857][ T7757] Call Trace: [ 57.580199][ T7757] dump_stack+0x172/0x1f0 [ 57.584532][ T7757] print_irq_inversion_bug.part.0+0x2c0/0x2cd [ 57.590819][ T7757] check_usage_backwards.cold+0x1d/0x26 [ 57.596365][ T7757] ? print_shortest_lock_dependencies+0x90/0x90 [ 57.602609][ T7757] ? save_stack_trace+0x1a/0x20 [ 57.607455][ T7757] mark_lock+0x427/0x1380 [ 57.611822][ T7757] ? print_shortest_lock_dependencies+0x90/0x90 [ 57.618069][ T7757] __lock_acquire+0x1317/0x3fb0 [ 57.622910][ T7757] ? __save_stack_trace+0x99/0x100 [ 57.628012][ T7757] ? mark_held_locks+0xf0/0xf0 [ 57.633029][ T7757] ? save_stack+0xa9/0xd0 [ 57.637352][ T7757] ? save_stack+0x45/0xd0 [ 57.641975][ T7757] ? __kasan_slab_free+0x102/0x150 [ 57.647120][ T7757] ? kasan_slab_free+0xe/0x10 [ 57.652020][ T7757] ? kmem_cache_free+0x86/0x260 [ 57.657029][ T7757] ? free_fs_struct+0x4f/0x70 [ 57.661973][ T7757] ? exit_fs+0xf0/0x130 [ 57.666144][ T7757] lock_acquire+0x16f/0x3f0 [ 57.670850][ T7757] ? userfaultfd_release+0x48e/0x6d0 [ 57.676143][ T7757] _raw_spin_lock+0x2f/0x40 [ 57.680804][ T7757] ? userfaultfd_release+0x48e/0x6d0 [ 57.686091][ T7757] userfaultfd_release+0x48e/0x6d0 [ 57.691475][ T7757] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 57.697663][ T7757] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 57.704005][ T7757] ? ima_file_free+0xc9/0x4a0 [ 57.708675][ T7757] ? __might_sleep+0x95/0x190 [ 57.713353][ T7757] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 57.719166][ T7757] __fput+0x2e5/0x8d0 [ 57.723265][ T7757] ____fput+0x16/0x20 [ 57.727288][ T7757] task_work_run+0x14a/0x1c0 [ 57.731871][ T7757] do_exit+0x90a/0x2fa0 [ 57.736091][ T7757] ? __sched_text_start+0x8/0x8 [ 57.740955][ T7757] ? do_group_exit+0x2e9/0x370 [ 57.745739][ T7757] ? mm_update_next_owner+0x640/0x640 [ 57.751196][ T7757] ? preempt_schedule_common+0x4f/0xe0 [ 57.756801][ T7757] ? preempt_schedule+0x4b/0x60 [ 57.761776][ T7757] ? ___preempt_schedule+0x16/0x18 [ 57.766885][ T7757] do_group_exit+0x135/0x370 [ 57.771485][ T7757] __x64_sys_exit_group+0x44/0x50 [ 57.776765][ T7757] do_syscall_64+0x103/0x610 [ 57.781372][ T7757] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 57.787259][ T7757] RIP: 0033:0x444478 [ 57.791368][ T7757] Code: Bad RIP value. [ 57.795479][ T7757] RSP: 002b:00007fff86a784f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 57.803891][ T7757] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000444478 [ 57.811860][ T7757] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 57.819831][ T7757] RBP: 00000000004cc010 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 57.827794][ T7757] R10: 00007fff86a784b0 R11: 00000