[ 52.491065][ T26] audit: type=1800 audit(1560717839.032:25): pid=8158 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 52.537075][ T26] audit: type=1800 audit(1560717839.032:26): pid=8158 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 52.569738][ T26] audit: type=1800 audit(1560717839.032:27): pid=8158 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] startpar: service(s) returned failure: ssh ...[?25l[?1c7[FAIL8[?25h[?0c failed! Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.95' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 68.359098][ T8335] [ 68.361458][ T8335] ======================================================== [ 68.368628][ T8335] WARNING: possible irq lock inversion dependency detected [ 68.375796][ T8335] 5.2.0-rc4+ #26 Not tainted [ 68.380361][ T8335] -------------------------------------------------------- [ 68.387532][ T8335] syz-executor300/8335 just changed the state of lock: [ 68.394368][ T8335] 0000000096d7477b (&ctx->fault_pending_wqh){+.+.}, at: userfaultfd_release+0x4ca/0x710 [ 68.404216][ T8335] but this lock was taken by another, SOFTIRQ-safe lock in the past: [ 68.412355][ T8335] (&(&ctx->ctx_lock)->rlock){..-.} [ 68.412363][ T8335] [ 68.412363][ T8335] [ 68.412363][ T8335] and interrupts could create inverse lock ordering between them. [ 68.412363][ T8335] [ 68.431828][ T8335] [ 68.431828][ T8335] other info that might help us debug this: [ 68.439957][ T8335] Chain exists of: [ 68.439957][ T8335] &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh [ 68.439957][ T8335] [ 68.454172][ T8335] Possible interrupt unsafe locking scenario: [ 68.454172][ T8335] [ 68.462477][ T8335] CPU0 CPU1 [ 68.467917][ T8335] ---- ---- [ 68.473259][ T8335] lock(&ctx->fault_pending_wqh); [ 68.478420][ T8335] local_irq_disable(); [ 68.485210][ T8335] lock(&(&ctx->ctx_lock)->rlock); [ 68.493099][ T8335] lock(&ctx->fd_wqh); [ 68.499851][ T8335] [ 68.503407][ T8335] lock(&(&ctx->ctx_lock)->rlock); [ 68.508757][ T8335] [ 68.508757][ T8335] *** DEADLOCK *** [ 68.508757][ T8335] [ 68.516990][ T8335] no locks held by syz-executor300/8335. [ 68.522663][ T8335] [ 68.522663][ T8335] the shortest dependencies between 2nd lock and 1st lock: [ 68.532111][ T8335] -> (&(&ctx->ctx_lock)->rlock){..-.} { [ 68.537816][ T8335] IN-SOFTIRQ-W at: [ 68.542151][ T8335] lock_acquire+0x16f/0x3f0 [ 68.548814][ T8335] _raw_spin_lock_irq+0x60/0x80 [ 68.555801][ T8335] free_ioctx_users+0x2d/0x490 [ 68.562712][ T8335] percpu_ref_switch_to_atomic_rcu+0x407/0x540 [ 68.571031][ T8335] rcu_core+0xba5/0x1500 [ 68.577983][ T8335] __do_softirq+0x25c/0x94c [ 68.584844][ T8335] irq_exit+0x180/0x1d0 [ 68.591203][ T8335] smp_apic_timer_interrupt+0x13b/0x550 [ 68.598885][ T8335] apic_timer_interrupt+0xf/0x20 [ 68.612571][ T8335] native_safe_halt+0xe/0x10 [ 68.619327][ T8335] arch_cpu_idle+0xa/0x10 [ 68.625831][ T8335] default_idle_call+0x36/0x90 [ 68.632648][ T8335] do_idle+0x377/0x560 [ 68.638882][ T8335] cpu_startup_entry+0x1b/0x20 [ 68.645633][ T8335] start_secondary+0x34e/0x4c0 [ 68.652464][ T8335] secondary_startup_64+0xa4/0xb0 [ 68.660066][ T8335] INITIAL USE at: [ 68.664174][ T8335] lock_acquire+0x16f/0x3f0 [ 68.670584][ T8335] _raw_spin_lock_irq+0x60/0x80 [ 68.677327][ T8335] io_submit_one+0xeb5/0x2ef0 [ 68.684088][ T8335] __ia32_compat_sys_io_submit+0x1bf/0x570 [ 68.691800][ T8335] do_fast_syscall_32+0x27b/0xd7d [ 68.699022][ T8335] entry_SYSENTER_compat+0x70/0x7f [ 68.706026][ T8335] } [ 68.708874][ T8335] ... key at: [] __key.53427+0x0/0x40 [ 68.716604][ T8335] ... acquired at: [ 68.720576][ T8335] _raw_spin_lock+0x2f/0x40 [ 68.725335][ T8335] io_submit_one+0xefa/0x2ef0 [ 68.730174][ T8335] __ia32_compat_sys_io_submit+0x1bf/0x570 [ 68.736145][ T8335] do_fast_syscall_32+0x27b/0xd7d [ 68.741340][ T8335] entry_SYSENTER_compat+0x70/0x7f [ 68.746845][ T8335] [ 68.749158][ T8335] -> (&ctx->fd_wqh){....} { [ 68.753725][ T8335] INITIAL USE at: [ 68.757695][ T8335] lock_acquire+0x16f/0x3f0 [ 68.764036][ T8335] _raw_spin_lock_irq+0x60/0x80 [ 68.770634][ T8335] userfaultfd_read+0x27a/0x1940 [ 68.777651][ T8335] do_iter_read+0x4a4/0x660 [ 68.784140][ T8335] compat_readv+0x18e/0x200 [ 68.790357][ T8335] do_compat_readv+0xf5/0x1f0 [ 68.796766][ T8335] __ia32_compat_sys_readv+0x74/0xb0 [ 68.803781][ T8335] do_fast_syscall_32+0x27b/0xd7d [ 68.810901][ T8335] entry_SYSENTER_compat+0x70/0x7f [ 68.817906][ T8335] } [ 68.820539][ T8335] ... key at: [] __key.46103+0x0/0x40 [ 68.828298][ T8335] ... acquired at: [ 68.832260][ T8335] _raw_spin_lock+0x2f/0x40 [ 68.837143][ T8335] userfaultfd_read+0x540/0x1940 [ 68.842764][ T8335] do_iter_read+0x4a4/0x660 [ 68.847543][ T8335] compat_readv+0x18e/0x200 [ 68.852397][ T8335] do_compat_readv+0xf5/0x1f0 [ 68.857226][ T8335] __ia32_compat_sys_readv+0x74/0xb0 [ 68.862770][ T8335] do_fast_syscall_32+0x27b/0xd7d [ 68.867960][ T8335] entry_SYSENTER_compat+0x70/0x7f [ 68.873240][ T8335] [ 68.875554][ T8335] -> (&ctx->fault_pending_wqh){+.+.} { [ 68.880987][ T8335] HARDIRQ-ON-W at: [ 68.885061][ T8335] lock_acquire+0x16f/0x3f0 [ 68.891423][ T8335] _raw_spin_lock+0x2f/0x40 [ 68.897570][ T8335] userfaultfd_release+0x4ca/0x710 [ 68.904327][ T8335] __fput+0x2ff/0x890 [ 68.910106][ T8335] ____fput+0x16/0x20 [ 68.915726][ T8335] task_work_run+0x145/0x1c0 [ 68.921943][ T8335] do_exit+0x90a/0x2fa0 [ 68.927925][ T8335] do_group_exit+0x135/0x370 [ 68.934150][ T8335] get_signal+0x471/0x24b0 [ 68.940298][ T8335] do_signal+0x87/0x1900 [ 68.946176][ T8335] exit_to_usermode_loop+0x244/0x2c0 [ 68.953142][ T8335] do_fast_syscall_32+0xb51/0xd7d [ 68.959808][ T8335] entry_SYSENTER_compat+0x70/0x7f [ 68.968226][ T8335] SOFTIRQ-ON-W at: [ 68.972211][ T8335] lock_acquire+0x16f/0x3f0 [ 68.978355][ T8335] _raw_spin_lock+0x2f/0x40 [ 68.984567][ T8335] userfaultfd_release+0x4ca/0x710 [ 68.991317][ T8335] __fput+0x2ff/0x890 [ 68.996923][ T8335] ____fput+0x16/0x20 [ 69.002636][ T8335] task_work_run+0x145/0x1c0 [ 69.008867][ T8335] do_exit+0x90a/0x2fa0 [ 69.014750][ T8335] do_group_exit+0x135/0x370 [ 69.021065][ T8335] get_signal+0x471/0x24b0 [ 69.027289][ T8335] do_signal+0x87/0x1900 [ 69.033168][ T8335] exit_to_usermode_loop+0x244/0x2c0 [ 69.040216][ T8335] do_fast_syscall_32+0xb51/0xd7d [ 69.046977][ T8335] entry_SYSENTER_compat+0x70/0x7f [ 69.053750][ T8335] INITIAL USE at: [ 69.057631][ T8335] lock_acquire+0x16f/0x3f0 [ 69.063683][ T8335] _raw_spin_lock+0x2f/0x40 [ 69.069732][ T8335] userfaultfd_read+0x540/0x1940 [ 69.076208][ T8335] do_iter_read+0x4a4/0x660 [ 69.082362][ T8335] compat_readv+0x18e/0x200 [ 69.088410][ T8335] do_compat_readv+0xf5/0x1f0 [ 69.094888][ T8335] __ia32_compat_sys_readv+0x74/0xb0 [ 69.101727][ T8335] do_fast_syscall_32+0x27b/0xd7d [ 69.108304][ T8335] entry_SYSENTER_compat+0x70/0x7f [ 69.115047][ T8335] } [ 69.117549][ T8335] ... key at: [] __key.46100+0x0/0x40 [ 69.124980][ T8335] ... acquired at: [ 69.128776][ T8335] mark_lock+0x420/0x1370 [ 69.133262][ T8335] __lock_acquire+0x12df/0x5490 [ 69.138264][ T8335] lock_acquire+0x16f/0x3f0 [ 69.143026][ T8335] _raw_spin_lock+0x2f/0x40 [ 69.147691][ T8335] userfaultfd_release+0x4ca/0x710 [ 69.152968][ T8335] __fput+0x2ff/0x890 [ 69.157101][ T8335] ____fput+0x16/0x20 [ 69.161348][ T8335] task_work_run+0x145/0x1c0 [ 69.166090][ T8335] do_exit+0x90a/0x2fa0 [ 69.170406][ T8335] do_group_exit+0x135/0x370 [ 69.175476][ T8335] get_signal+0x471/0x24b0 [ 69.180052][ T8335] do_signal+0x87/0x1900 [ 69.184530][ T8335] exit_to_usermode_loop+0x244/0x2c0 [ 69.189972][ T8335] do_fast_syscall_32+0xb51/0xd7d [ 69.195150][ T8335] entry_SYSENTER_compat+0x70/0x7f [ 69.200406][ T8335] [ 69.202708][ T8335] [ 69.202708][ T8335] stack backtrace: [ 69.208628][ T8335] CPU: 0 PID: 8335 Comm: syz-executor300 Not tainted 5.2.0-rc4+ #26 [ 69.216713][ T8335] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 69.226748][ T8335] Call Trace: [ 69.230028][ T8335] dump_stack+0x172/0x1f0 [ 69.234349][ T8335] print_irq_inversion_bug.part.0+0x2c5/0x2d2 [ 69.240408][ T8335] check_usage_backwards.cold+0x1d/0x26 [ 69.245945][ T8335] ? print_shortest_lock_dependencies+0x90/0x90 [ 69.252227][ T8335] ? stack_trace_save+0xac/0xe0 [ 69.257072][ T8335] ? stack_trace_consume_entry+0x190/0x190 [ 69.262866][ T8335] ? kasan_check_write+0x14/0x20 [ 69.267787][ T8335] ? graph_lock+0x7b/0x200 [ 69.272178][ T8335] ? __lockdep_reset_lock+0x450/0x450 [ 69.277534][ T8335] mark_lock+0x420/0x1370 [ 69.281914][ T8335] ? print_shortest_lock_dependencies+0x90/0x90 [ 69.288141][ T8335] __lock_acquire+0x12df/0x5490 [ 69.293142][ T8335] ? kasan_check_write+0x14/0x20 [ 69.298167][ T8335] ? mark_held_locks+0xf0/0xf0 [ 69.303267][ T8335] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 69.309179][ T8335] ? stack_depot_save+0x25a/0x450 [ 69.314623][ T8335] lock_acquire+0x16f/0x3f0 [ 69.319110][ T8335] ? userfaultfd_release+0x4ca/0x710 [ 69.324374][ T8335] _raw_spin_lock+0x2f/0x40 [ 69.328878][ T8335] ? userfaultfd_release+0x4ca/0x710 [ 69.334165][ T8335] userfaultfd_release+0x4ca/0x710 [ 69.339636][ T8335] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 69.345542][ T8335] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 69.351859][ T8335] ? ima_file_free+0xc9/0x4a0 [ 69.356549][ T8335] __fput+0x2ff/0x890 [ 69.360519][ T8335] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 69.366401][ T8335] ____fput+0x16/0x20 [ 69.370361][ T8335] task_work_run+0x145/0x1c0 [ 69.375031][ T8335] do_exit+0x90a/0x2fa0 [ 69.379190][ T8335] ? get_signal+0x387/0x24b0 [ 69.383761][ T8335] ? mm_update_next_owner+0x640/0x640 [ 69.389233][ T8335] ? kasan_check_write+0x14/0x20 [ 69.394164][ T8335] ? _raw_spin_unlock_irq+0x28/0x90 [ 69.399480][ T8335] ? get_signal+0x387/0x24b0 [ 69.404073][ T8335] ? _raw_spin_unlock_irq+0x28/0x90 [ 69.409358][ T8335] do_group_exit+0x135/0x370 [ 69.413940][ T8335] get_signal+0x471/0x24b0 [ 69.418347][ T8335] ? exit_robust_list+0x2c0/0x2c0 [ 69.423366][ T8335] ? __ia32_compat_sys_io_submit+0x303/0x570 [ 69.429333][ T8335] do_signal+0x87/0x1900 [ 69.433648][ T8335] ? lock_downgrade+0x880/0x880 [ 69.438593][ T8335] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 69.444977][ T8335] ? setup_sigcontext+0x7d0/0x7d0 [ 69.449993][ T8335] ? exit_to_usermode_loop+0x43/0x2c0 [ 69.455350][ T8335] ? do_fast_syscall_32+0xb51/0xd7d [ 69.460641][ T8335] ? exit_to_usermode_loop+0x43/0x2c0 [ 69.466004][ T8335] ? lockdep_hardirqs_on+0x418/0x5d0 [ 69.471275][ T8335] ? trace_hardirqs_on+0x67/0x220 [ 69.476285][ T8335] exit_to_usermode_loop+0x244/0x2c0 [ 69.481559][ T8335] do_fast_syscall_32+0xb51/0xd7d [ 69.486578][ T8335] entry_SYSENTER_compat+0x70/0x7f [ 69.491676][ T8335] RIP: 0023:0xf7fcc849 [ 69.495737][ T8335] Code: Bad RIP value. [ 69.499823][ T8335] RSP: 002b:00000000f7fa71ec EFLAGS: 00000296 ORIG_RAX: 00000000000000f0 [ 69.508303][ T8335] RAX: fffffffffffffe00 RBX: 00000000080fb018 RCX