[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 55.189898][ T27] audit: type=1800 audit(1560753315.745:25): pid=8237 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 55.226738][ T27] audit: type=1800 audit(1560753315.755:26): pid=8237 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 55.279655][ T27] audit: type=1800 audit(1560753315.755:27): pid=8237 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.189' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 66.461432][ T8394] [ 66.463789][ T8394] ======================================================== [ 66.470956][ T8394] WARNING: possible irq lock inversion dependency detected [ 66.478121][ T8394] 5.2.0-rc4+ #53 Not tainted [ 66.482680][ T8394] -------------------------------------------------------- [ 66.489854][ T8394] syz-executor168/8394 just changed the state of lock: [ 66.496684][ T8394] 00000000d35e9448 (&ctx->fault_pending_wqh){+.+.}, at: userfaultfd_release+0x4ca/0x710 [ 66.506440][ T8394] but this lock was taken by another, SOFTIRQ-safe lock in the past: [ 66.514477][ T8394] (&(&ctx->ctx_lock)->rlock){..-.} [ 66.514483][ T8394] [ 66.514483][ T8394] [ 66.514483][ T8394] and interrupts could create inverse lock ordering between them. [ 66.514483][ T8394] [ 66.533935][ T8394] [ 66.533935][ T8394] other info that might help us debug this: [ 66.542008][ T8394] Chain exists of: [ 66.542008][ T8394] &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh [ 66.542008][ T8394] [ 66.556228][ T8394] Possible interrupt unsafe locking scenario: [ 66.556228][ T8394] [ 66.564534][ T8394] CPU0 CPU1 [ 66.569882][ T8394] ---- ---- [ 66.575224][ T8394] lock(&ctx->fault_pending_wqh); [ 66.580327][ T8394] local_irq_disable(); [ 66.587149][ T8394] lock(&(&ctx->ctx_lock)->rlock); [ 66.601781][ T8394] lock(&ctx->fd_wqh); [ 66.608434][ T8394] [ 66.611864][ T8394] lock(&(&ctx->ctx_lock)->rlock); [ 66.617208][ T8394] [ 66.617208][ T8394] *** DEADLOCK *** [ 66.617208][ T8394] [ 66.625331][ T8394] no locks held by syz-executor168/8394. [ 66.630936][ T8394] [ 66.630936][ T8394] the shortest dependencies between 2nd lock and 1st lock: [ 66.640297][ T8394] -> (&(&ctx->ctx_lock)->rlock){..-.} { [ 66.645994][ T8394] IN-SOFTIRQ-W at: [ 66.650160][ T8394] lock_acquire+0x16f/0x3f0 [ 66.656656][ T8394] _raw_spin_lock_irq+0x60/0x80 [ 66.663495][ T8394] free_ioctx_users+0x2d/0x490 [ 66.670252][ T8394] percpu_ref_switch_to_atomic_rcu+0x407/0x540 [ 66.678380][ T8394] rcu_core+0xba5/0x1500 [ 66.684598][ T8394] __do_softirq+0x25c/0x94c [ 66.691276][ T8394] irq_exit+0x180/0x1d0 [ 66.697407][ T8394] smp_apic_timer_interrupt+0x13b/0x550 [ 66.704929][ T8394] apic_timer_interrupt+0xf/0x20 [ 66.711862][ T8394] native_safe_halt+0xe/0x10 [ 66.718457][ T8394] arch_cpu_idle+0xa/0x10 [ 66.724759][ T8394] default_idle_call+0x36/0x90 [ 66.731502][ T8394] do_idle+0x377/0x560 [ 66.737549][ T8394] cpu_startup_entry+0x1b/0x20 [ 66.744284][ T8394] rest_init+0x245/0x37b [ 66.750522][ T8394] arch_call_rest_init+0xe/0x1b [ 66.757352][ T8394] start_kernel+0x854/0x893 [ 66.763848][ T8394] x86_64_start_reservations+0x29/0x2b [ 66.771289][ T8394] x86_64_start_kernel+0x77/0x7b [ 66.778201][ T8394] secondary_startup_64+0xa4/0xb0 [ 66.785191][ T8394] INITIAL USE at: [ 66.789243][ T8394] lock_acquire+0x16f/0x3f0 [ 66.795638][ T8394] _raw_spin_lock_irq+0x60/0x80 [ 66.802376][ T8394] io_submit_one+0xeb5/0x2ef0 [ 66.808935][ T8394] __x64_sys_io_submit+0x1bd/0x570 [ 66.815931][ T8394] do_syscall_64+0xfd/0x680 [ 66.822349][ T8394] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 66.830128][ T8394] } [ 66.832792][ T8394] ... key at: [] __key.53428+0x0/0x40 [ 66.840406][ T8394] ... acquired at: [ 66.844398][ T8394] _raw_spin_lock+0x2f/0x40 [ 66.849059][ T8394] io_submit_one+0xefa/0x2ef0 [ 66.853888][ T8394] __x64_sys_io_submit+0x1bd/0x570 [ 66.859151][ T8394] do_syscall_64+0xfd/0x680 [ 66.863803][ T8394] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 66.869855][ T8394] [ 66.872170][ T8394] -> (&ctx->fd_wqh){....} { [ 66.876752][ T8394] INITIAL USE at: [ 66.880720][ T8394] lock_acquire+0x16f/0x3f0 [ 66.886936][ T8394] _raw_spin_lock_irq+0x60/0x80 [ 66.893522][ T8394] userfaultfd_read+0x27a/0x1940 [ 66.900180][ T8394] __vfs_read+0x8a/0x110 [ 66.906186][ T8394] vfs_read+0x194/0x3e0 [ 66.912072][ T8394] ksys_read+0x14f/0x290 [ 66.918055][ T8394] __x64_sys_read+0x73/0xb0 [ 66.924278][ T8394] do_syscall_64+0xfd/0x680 [ 66.930515][ T8394] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 66.938138][ T8394] } [ 66.940751][ T8394] ... key at: [] __key.46104+0x0/0x40 [ 66.948269][ T8394] ... acquired at: [ 66.952151][ T8394] _raw_spin_lock+0x2f/0x40 [ 66.956805][ T8394] userfaultfd_read+0x540/0x1940 [ 66.961919][ T8394] __vfs_read+0x8a/0x110 [ 66.966314][ T8394] vfs_read+0x194/0x3e0 [ 66.970621][ T8394] ksys_read+0x14f/0x290 [ 66.975030][ T8394] __x64_sys_read+0x73/0xb0 [ 66.979692][ T8394] do_syscall_64+0xfd/0x680 [ 66.984365][ T8394] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 66.990400][ T8394] [ 66.992734][ T8394] -> (&ctx->fault_pending_wqh){+.+.} { [ 66.998177][ T8394] HARDIRQ-ON-W at: [ 67.002261][ T8394] lock_acquire+0x16f/0x3f0 [ 67.008431][ T8394] _raw_spin_lock+0x2f/0x40 [ 67.014578][ T8394] userfaultfd_release+0x4ca/0x710 [ 67.021324][ T8394] __fput+0x2ff/0x890 [ 67.026941][ T8394] ____fput+0x16/0x20 [ 67.032559][ T8394] task_work_run+0x145/0x1c0 [ 67.038801][ T8394] do_exit+0x90a/0x2fa0 [ 67.044594][ T8394] do_group_exit+0x135/0x370 [ 67.050843][ T8394] get_signal+0x471/0x24b0 [ 67.056899][ T8394] do_signal+0x87/0x1900 [ 67.062778][ T8394] exit_to_usermode_loop+0x244/0x2c0 [ 67.069693][ T8394] do_syscall_64+0x58e/0x680 [ 67.075917][ T8394] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 67.083635][ T8394] SOFTIRQ-ON-W at: [ 67.087604][ T8394] lock_acquire+0x16f/0x3f0 [ 67.093736][ T8394] _raw_spin_lock+0x2f/0x40 [ 67.099871][ T8394] userfaultfd_release+0x4ca/0x710 [ 67.106615][ T8394] __fput+0x2ff/0x890 [ 67.112230][ T8394] ____fput+0x16/0x20 [ 67.117844][ T8394] task_work_run+0x145/0x1c0 [ 67.124152][ T8394] do_exit+0x90a/0x2fa0 [ 67.130621][ T8394] do_group_exit+0x135/0x370 [ 67.136948][ T8394] get_signal+0x471/0x24b0 [ 67.143004][ T8394] do_signal+0x87/0x1900 [ 67.148899][ T8394] exit_to_usermode_loop+0x244/0x2c0 [ 67.155819][ T8394] do_syscall_64+0x58e/0x680 [ 67.162064][ T8394] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 67.169589][ T8394] INITIAL USE at: [ 67.173480][ T8394] lock_acquire+0x16f/0x3f0 [ 67.179551][ T8394] _raw_spin_lock+0x2f/0x40 [ 67.185632][ T8394] userfaultfd_read+0x540/0x1940 [ 67.192132][ T8394] __vfs_read+0x8a/0x110 [ 67.197938][ T8394] vfs_read+0x194/0x3e0 [ 67.203642][ T8394] ksys_read+0x14f/0x290 [ 67.209450][ T8394] __x64_sys_read+0x73/0xb0 [ 67.215498][ T8394] do_syscall_64+0xfd/0x680 [ 67.221540][ T8394] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 67.228984][ T8394] } [ 67.231479][ T8394] ... key at: [] __key.46101+0x0/0x40 [ 67.238907][ T8394] ... acquired at: [ 67.242700][ T8394] mark_lock+0x420/0x1370 [ 67.247180][ T8394] __lock_acquire+0x12df/0x5490 [ 67.252182][ T8394] lock_acquire+0x16f/0x3f0 [ 67.256853][ T8394] _raw_spin_lock+0x2f/0x40 [ 67.261512][ T8394] userfaultfd_release+0x4ca/0x710 [ 67.266789][ T8394] __fput+0x2ff/0x890 [ 67.270940][ T8394] ____fput+0x16/0x20 [ 67.275089][ T8394] task_work_run+0x145/0x1c0 [ 67.279837][ T8394] do_exit+0x90a/0x2fa0 [ 67.284142][ T8394] do_group_exit+0x135/0x370 [ 67.289151][ T8394] get_signal+0x471/0x24b0 [ 67.293727][ T8394] do_signal+0x87/0x1900 [ 67.298135][ T8394] exit_to_usermode_loop+0x244/0x2c0 [ 67.303601][ T8394] do_syscall_64+0x58e/0x680 [ 67.308351][ T8394] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 67.314386][ T8394] [ 67.316690][ T8394] [ 67.316690][ T8394] stack backtrace: [ 67.322568][ T8394] CPU: 1 PID: 8394 Comm: syz-executor168 Not tainted 5.2.0-rc4+ #53 [ 67.330515][ T8394] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.340545][ T8394] Call Trace: [ 67.343821][ T8394] dump_stack+0x172/0x1f0 [ 67.348128][ T8394] print_irq_inversion_bug.part.0+0x2c5/0x2d2 [ 67.354201][ T8394] check_usage_backwards.cold+0x1d/0x26 [ 67.359748][ T8394] ? print_shortest_lock_dependencies+0x90/0x90 [ 67.367942][ T8394] ? stack_trace_save+0xac/0xe0 [ 67.372791][ T8394] ? stack_trace_consume_entry+0x190/0x190 [ 67.378579][ T8394] ? kasan_check_write+0x14/0x20 [ 67.383506][ T8394] ? graph_lock+0x7b/0x200 [ 67.387897][ T8394] ? __lockdep_reset_lock+0x450/0x450 [ 67.393263][ T8394] mark_lock+0x420/0x1370 [ 67.397575][ T8394] ? print_shortest_lock_dependencies+0x90/0x90 [ 67.403795][ T8394] __lock_acquire+0x12df/0x5490 [ 67.408637][ T8394] ? kasan_check_write+0x14/0x20 [ 67.413580][ T8394] ? mark_held_locks+0xf0/0xf0 [ 67.418321][ T8394] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 67.424119][ T8394] ? stack_depot_save+0x25a/0x450 [ 67.429120][ T8394] lock_acquire+0x16f/0x3f0 [ 67.433599][ T8394] ? userfaultfd_release+0x4ca/0x710 [ 67.438867][ T8394] _raw_spin_lock+0x2f/0x40 [ 67.443351][ T8394] ? userfaultfd_release+0x4ca/0x710 [ 67.448613][ T8394] userfaultfd_release+0x4ca/0x710 [ 67.453713][ T8394] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 67.459517][ T8394] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 67.465737][ T8394] ? ima_file_free+0xc9/0x4a0 [ 67.470411][ T8394] __fput+0x2ff/0x890 [ 67.474374][ T8394] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 67.480157][ T8394] ____fput+0x16/0x20 [ 67.484126][ T8394] task_work_run+0x145/0x1c0 [ 67.488698][ T8394] do_exit+0x90a/0x2fa0 [ 67.492848][ T8394] ? get_signal+0x387/0x24b0 [ 67.497420][ T8394] ? mm_update_next_owner+0x640/0x640 [ 67.502775][ T8394] ? kasan_check_write+0x14/0x20 [ 67.507689][ T8394] ? _raw_spin_unlock_irq+0x28/0x90 [ 67.512862][ T8394] ? get_signal+0x387/0x24b0 [ 67.517443][ T8394] ? _raw_spin_unlock_irq+0x28/0x90 [ 67.522627][ T8394] do_group_exit+0x135/0x370 [ 67.527202][ T8394] get_signal+0x471/0x24b0 [ 67.531625][ T8394] ? exit_robust_list+0x2c0/0x2c0 [ 67.536647][ T8394] do_signal+0x87/0x1900 [ 67.540869][ T8394] ? lock_downgrade+0x880/0x880 [ 67.545700][ T8394] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 67.551921][ T8394] ? kasan_check_read+0x11/0x20 [ 67.556749][ T8394] ? setup_sigcontext+0x7d0/0x7d0 [ 67.561770][ T8394] ? exit_to_usermode_loop+0x43/0x2c0 [ 67.567118][ T8394] ? do_syscall_64+0x58e/0x680 [ 67.571858][ T8394] ? exit_to_usermode_loop+0x43/0x2c0 [ 67.577225][ T8394] ? lockdep_hardirqs_on+0x418/0x5d0 [ 67.582487][ T8394] ? trace_hardirqs_on+0x67/0x220 [ 67.587748][ T8394] exit_to_usermode_loop+0x244/0x2c0 [ 67.593018][ T8394] do_syscall_64+0x58e/0x680 [ 67.597593][ T8394] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 67.603463][ T8394] RIP: 0033:0x4458f9 [ 67.607345][ T8394] Code: Bad RIP value. [ 67.611388][ T8394] RSP: 002b:00007f1620e1cdb8 EFLAGS: 0