[ 44.510509][ T26] audit: type=1800 audit(1553809943.506:28): pid=7680 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 45.245502][ T26] audit: type=1800 audit(1553809944.336:29): pid=7680 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 45.265814][ T26] audit: type=1800 audit(1553809944.336:30): pid=7680 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 [....] startpar: service(s) returned failure: ssh ...[?25l[?1c7[FAIL8[?25h[?0c failed! Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.50' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 53.895258][ T7856] [ 53.897639][ T7856] ======================================================== [ 53.905133][ T7856] WARNING: possible irq lock inversion dependency detected [ 53.912344][ T7856] 5.1.0-rc2+ #40 Not tainted [ 53.917421][ T7856] -------------------------------------------------------- [ 53.924812][ T7856] syz-executor352/7856 just changed the state of lock: [ 53.931773][ T7856] 00000000c39b2936 (&ctx->fault_pending_wqh){+.+.}, at: userfaultfd_release+0x48e/0x6d0 [ 53.941902][ T7856] but this lock was taken by another, SOFTIRQ-safe lock in the past: [ 53.950359][ T7856] (&(&ctx->ctx_lock)->rlock){..-.} [ 53.950367][ T7856] [ 53.950367][ T7856] [ 53.950367][ T7856] and interrupts could create inverse lock ordering between them. [ 53.950367][ T7856] [ 53.970408][ T7856] [ 53.970408][ T7856] other info that might help us debug this: [ 53.978721][ T7856] Chain exists of: [ 53.978721][ T7856] &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh [ 53.978721][ T7856] [ 53.992947][ T7856] Possible interrupt unsafe locking scenario: [ 53.992947][ T7856] [ 54.001259][ T7856] CPU0 CPU1 [ 54.006641][ T7856] ---- ---- [ 54.012196][ T7856] lock(&ctx->fault_pending_wqh); [ 54.017524][ T7856] local_irq_disable(); [ 54.024271][ T7856] lock(&(&ctx->ctx_lock)->rlock); [ 54.032481][ T7856] lock(&ctx->fd_wqh); [ 54.039544][ T7856] [ 54.042992][ T7856] lock(&(&ctx->ctx_lock)->rlock); [ 54.048515][ T7856] [ 54.048515][ T7856] *** DEADLOCK *** [ 54.048515][ T7856] [ 54.056673][ T7856] no locks held by syz-executor352/7856. [ 54.062755][ T7856] [ 54.062755][ T7856] the shortest dependencies between 2nd lock and 1st lock: [ 54.072387][ T7856] -> (&(&ctx->ctx_lock)->rlock){..-.} { [ 54.078188][ T7856] IN-SOFTIRQ-W at: [ 54.082459][ T7856] lock_acquire+0x16f/0x3f0 [ 54.089075][ T7856] _raw_spin_lock_irq+0x60/0x80 [ 54.096224][ T7856] free_ioctx_users+0x2d/0x4a0 [ 54.103354][ T7856] percpu_ref_switch_to_atomic_rcu+0x3e7/0x520 [ 54.111740][ T7856] rcu_core+0x928/0x1390 [ 54.118201][ T7856] __do_softirq+0x266/0x95a [ 54.124779][ T7856] irq_exit+0x180/0x1d0 [ 54.131197][ T7856] smp_apic_timer_interrupt+0x14a/0x570 [ 54.138739][ T7856] apic_timer_interrupt+0xf/0x20 [ 54.146023][ T7856] native_safe_halt+0x2/0x10 [ 54.152651][ T7856] arch_cpu_idle+0x10/0x20 [ 54.159238][ T7856] default_idle_call+0x36/0x90 [ 54.166147][ T7856] do_idle+0x386/0x570 [ 54.172574][ T7856] cpu_startup_entry+0x1b/0x20 [ 54.179471][ T7856] rest_init+0x245/0x37b [ 54.185807][ T7856] arch_call_rest_init+0xe/0x1b [ 54.192745][ T7856] start_kernel+0x816/0x84f [ 54.199642][ T7856] x86_64_start_reservations+0x29/0x2b [ 54.207257][ T7856] x86_64_start_kernel+0x77/0x7b [ 54.214590][ T7856] secondary_startup_64+0xa4/0xb0 [ 54.222056][ T7856] INITIAL USE at: [ 54.226196][ T7856] lock_acquire+0x16f/0x3f0 [ 54.233356][ T7856] _raw_spin_lock_irq+0x60/0x80 [ 54.241248][ T7856] io_submit_one+0xe0c/0x1cf0 [ 54.248562][ T7856] __x64_sys_io_submit+0x1bd/0x580 [ 54.256209][ T7856] do_syscall_64+0x103/0x610 [ 54.263671][ T7856] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.271757][ T7856] } [ 54.274454][ T7856] ... key at: [] __key.52644+0x0/0x40 [ 54.282072][ T7856] ... acquired at: [ 54.286341][ T7856] lock_acquire+0x16f/0x3f0 [ 54.291010][ T7856] _raw_spin_lock+0x2f/0x40 [ 54.295874][ T7856] io_submit_one+0xe35/0x1cf0 [ 54.300720][ T7856] __x64_sys_io_submit+0x1bd/0x580 [ 54.305999][ T7856] do_syscall_64+0x103/0x610 [ 54.310985][ T7856] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.317519][ T7856] [ 54.319988][ T7856] -> (&ctx->fd_wqh){....} { [ 54.324713][ T7856] INITIAL USE at: [ 54.328870][ T7856] lock_acquire+0x16f/0x3f0 [ 54.335123][ T7856] _raw_spin_lock_irq+0x60/0x80 [ 54.341951][ T7856] userfaultfd_read+0x27a/0x1940 [ 54.348825][ T7856] do_iter_read+0x4a9/0x660 [ 54.355529][ T7856] vfs_readv+0xf0/0x160 [ 54.361789][ T7856] do_readv+0xf6/0x290 [ 54.367931][ T7856] __x64_sys_readv+0x75/0xb0 [ 54.374534][ T7856] do_syscall_64+0x103/0x610 [ 54.381852][ T7856] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.390457][ T7856] } [ 54.393312][ T7856] ... key at: [] __key.45453+0x0/0x40 [ 54.401393][ T7856] ... acquired at: [ 54.405607][ T7856] lock_acquire+0x16f/0x3f0 [ 54.410308][ T7856] _raw_spin_lock+0x2f/0x40 [ 54.415431][ T7856] userfaultfd_read+0x540/0x1940 [ 54.420840][ T7856] do_iter_read+0x4a9/0x660 [ 54.425745][ T7856] vfs_readv+0xf0/0x160 [ 54.430121][ T7856] do_readv+0xf6/0x290 [ 54.434367][ T7856] __x64_sys_readv+0x75/0xb0 [ 54.439192][ T7856] do_syscall_64+0x103/0x610 [ 54.444097][ T7856] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.450286][ T7856] [ 54.452808][ T7856] -> (&ctx->fault_pending_wqh){+.+.} { [ 54.458464][ T7856] HARDIRQ-ON-W at: [ 54.462446][ T7856] lock_acquire+0x16f/0x3f0 [ 54.468589][ T7856] _raw_spin_lock+0x2f/0x40 [ 54.475273][ T7856] userfaultfd_release+0x48e/0x6d0 [ 54.482347][ T7856] __fput+0x2e5/0x8d0 [ 54.488227][ T7856] ____fput+0x16/0x20 [ 54.494084][ T7856] task_work_run+0x14a/0x1c0 [ 54.500946][ T7856] do_exit+0x90a/0x2fa0 [ 54.506922][ T7856] do_group_exit+0x135/0x370 [ 54.513528][ T7856] get_signal+0x399/0x1d50 [ 54.519797][ T7856] do_signal+0x87/0x1940 [ 54.526006][ T7856] exit_to_usermode_loop+0x244/0x2c0 [ 54.533658][ T7856] do_syscall_64+0x52d/0x610 [ 54.542215][ T7856] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.549976][ T7856] SOFTIRQ-ON-W at: [ 54.553957][ T7856] lock_acquire+0x16f/0x3f0 [ 54.560365][ T7856] _raw_spin_lock+0x2f/0x40 [ 54.566653][ T7856] userfaultfd_release+0x48e/0x6d0 [ 54.573676][ T7856] __fput+0x2e5/0x8d0 [ 54.580988][ T7856] ____fput+0x16/0x20 [ 54.587215][ T7856] task_work_run+0x14a/0x1c0 [ 54.593853][ T7856] do_exit+0x90a/0x2fa0 [ 54.599875][ T7856] do_group_exit+0x135/0x370 [ 54.606606][ T7856] get_signal+0x399/0x1d50 [ 54.612961][ T7856] do_signal+0x87/0x1940 [ 54.618992][ T7856] exit_to_usermode_loop+0x244/0x2c0 [ 54.626123][ T7856] do_syscall_64+0x52d/0x610 [ 54.632999][ T7856] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.640807][ T7856] INITIAL USE at: [ 54.644767][ T7856] lock_acquire+0x16f/0x3f0 [ 54.651176][ T7856] _raw_spin_lock+0x2f/0x40 [ 54.657664][ T7856] userfaultfd_read+0x540/0x1940 [ 54.664331][ T7856] do_iter_read+0x4a9/0x660 [ 54.670510][ T7856] vfs_readv+0xf0/0x160 [ 54.676331][ T7856] do_readv+0xf6/0x290 [ 54.682105][ T7856] __x64_sys_readv+0x75/0xb0 [ 54.688250][ T7856] do_syscall_64+0x103/0x610 [ 54.694535][ T7856] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.702129][ T7856] } [ 54.704658][ T7856] ... key at: [] __key.45450+0x0/0x40 [ 54.712473][ T7856] ... acquired at: [ 54.716430][ T7856] mark_lock+0x427/0x1380 [ 54.720928][ T7856] __lock_acquire+0x1317/0x3fb0 [ 54.726054][ T7856] lock_acquire+0x16f/0x3f0 [ 54.730880][ T7856] _raw_spin_lock+0x2f/0x40 [ 54.735775][ T7856] userfaultfd_release+0x48e/0x6d0 [ 54.741297][ T7856] __fput+0x2e5/0x8d0 [ 54.745443][ T7856] ____fput+0x16/0x20 [ 54.749811][ T7856] task_work_run+0x14a/0x1c0 [ 54.754729][ T7856] do_exit+0x90a/0x2fa0 [ 54.759253][ T7856] do_group_exit+0x135/0x370 [ 54.764118][ T7856] get_signal+0x399/0x1d50 [ 54.769065][ T7856] do_signal+0x87/0x1940 [ 54.773771][ T7856] exit_to_usermode_loop+0x244/0x2c0 [ 54.779514][ T7856] do_syscall_64+0x52d/0x610 [ 54.784399][ T7856] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.790687][ T7856] [ 54.793001][ T7856] [ 54.793001][ T7856] stack backtrace: [ 54.799126][ T7856] CPU: 0 PID: 7856 Comm: syz-executor352 Not tainted 5.1.0-rc2+ #40 [ 54.807370][ T7856] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.817936][ T7856] Call Trace: [ 54.821227][ T7856] dump_stack+0x172/0x1f0 [ 54.825726][ T7856] print_irq_inversion_bug.part.0+0x2c0/0x2cd [ 54.831933][ T7856] check_usage_backwards.cold+0x1d/0x26 [ 54.837505][ T7856] ? print_shortest_lock_dependencies+0x90/0x90 [ 54.843863][ T7856] ? save_stack_trace+0x1a/0x20 [ 54.848736][ T7856] mark_lock+0x427/0x1380 [ 54.853324][ T7856] ? print_shortest_lock_dependencies+0x90/0x90 [ 54.859827][ T7856] __lock_acquire+0x1317/0x3fb0 [ 54.864800][ T7856] ? trace_hardirqs_off+0x62/0x220 [ 54.869948][ T7856] ? kasan_check_read+0x11/0x20 [ 54.875043][ T7856] ? mark_held_locks+0xf0/0xf0 [ 54.879800][ T7856] ? save_stack+0xa9/0xd0 [ 54.884121][ T7856] ? save_stack+0x45/0xd0 [ 54.888750][ T7856] ? __kasan_slab_free+0x102/0x150 [ 54.894472][ T7856] ? kasan_slab_free+0xe/0x10 [ 54.899207][ T7856] ? kmem_cache_free+0x86/0x260 [ 54.904251][ T7856] ? free_fs_struct+0x4f/0x70 [ 54.909006][ T7856] ? exit_fs+0xf0/0x130 [ 54.913273][ T7856] lock_acquire+0x16f/0x3f0 [ 54.917860][ T7856] ? userfaultfd_release+0x48e/0x6d0 [ 54.923280][ T7856] _raw_spin_lock+0x2f/0x40 [ 54.927844][ T7856] ? userfaultfd_release+0x48e/0x6d0 [ 54.933134][ T7856] userfaultfd_release+0x48e/0x6d0 [ 54.938471][ T7856] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 54.944561][ T7856] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 54.950806][ T7856] ? ima_file_free+0xc9/0x4a0 [ 54.955591][ T7856] ? __might_sleep+0x95/0x190 [ 54.960486][ T7856] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 54.966336][ T7856] __fput+0x2e5/0x8d0 [ 54.970378][ T7856] ____fput+0x16/0x20 [ 54.974355][ T7856] task_work_run+0x14a/0x1c0 [ 54.978942][ T7856] do_exit+0x90a/0x2fa0 [ 54.983099][ T7856] ? get_signal+0x331/0x1d50 [ 54.987934][ T7856] ? mm_update_next_owner+0x640/0x640 [ 54.993605][ T7856] ? kasan_check_write+0x14/0x20 [ 54.998653][ T7856] ? _raw_spin_unlock_irq+0x28/0x90 [ 55.003845][ T7856] ? get_signal+0x331/0x1d50 [ 55.008429][ T7856] ? _raw_spin_unlock_irq+0x28/0x90 [ 55.013788][ T7856] do_group_exit+0x135/0x370 [ 55.018393][ T7856] get_signal+0x399/0x1d50 [ 55.022932][ T7856] ? __x64_sys_io_submit+0x31f/0x580 [ 55.028475][ T7856] do_signal+0x87/0x1940 [ 55.032710][ T7856] ? lock_downgrade+0x880/0x880 [ 55.037686][ T7856] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 55.044055][ T7856] ? kasan_check_read+0x11/0x20 [ 55.048985][ T7856] ? setup_sigcontext+0x7d0/0x7d0 [ 55.054004][ T7856] ? exit_to_usermode_loop+0x43/0x2c0 [ 55.059520][ T7856] ? do_syscall_64+0x52d/0x610 [ 55.064361][ T7856] ? exit_to_usermode_loop+0x43/0x2c0 [ 55.069723][ T7856] ? lockdep_hardirqs_on+0x418/0x5d0 [ 55.075158][ T7856] ? trace_hardirqs_on+0x67/0x230 [ 55.080174][ T7856] exit_to_usermode_loop+0x244/0x2c0 [ 55.085452][ T7856] do_syscall_64+0x52d/0x610 [ 55.090124][ T7856] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.096160][ T7856] RIP: 0033:0x4458f9 [ 55.100134][ T7856] Code: Bad RIP value. [ 55.104260][ T7856] RSP: 002b:00007f848ac3ddb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 55.113058][ T7856] RAX: fffffffffffffe00 RBX: 00000000006dac58 RCX: 00000000004458f9 [ 55.121127][ T7856] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dac58 [ 55.129322][ T7856] RBP: 00000000006dac50 R08: 0000000000000000 R09: 0000000000000000 [ 55.137599][ T7856] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac5c [ 55.145762][ T7856] R13: 00007ffc084ca76f R14: 00007