[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 59.933023][ T26] audit: type=1800 audit(1561502842.865:25): pid=8887 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 59.974988][ T26] audit: type=1800 audit(1561502842.865:26): pid=8887 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 60.012237][ T26] audit: type=1800 audit(1561502842.865:27): pid=8887 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.196' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 72.936838][ T9041] [ 72.939222][ T9041] ======================================================== [ 72.946409][ T9041] WARNING: possible irq lock inversion dependency detected [ 72.953619][ T9041] 5.2.0-rc6-next-20190625 #22 Not tainted [ 72.959554][ T9041] -------------------------------------------------------- [ 72.966731][ T9041] syz-executor014/9041 just changed the state of lock: [ 72.973552][ T9041] 000000004873c98a (&ctx->fault_pending_wqh){+.+.}, at: userfaultfd_release+0x4ca/0x710 [ 72.983255][ T9041] but this lock was taken by another, SOFTIRQ-safe lock in the past: [ 72.991288][ T9041] (&(&ctx->ctx_lock)->rlock){..-.} [ 72.991296][ T9041] [ 72.991296][ T9041] [ 72.991296][ T9041] and interrupts could create inverse lock ordering between them. [ 72.991296][ T9041] [ 73.010749][ T9041] [ 73.010749][ T9041] other info that might help us debug this: [ 73.018784][ T9041] Chain exists of: [ 73.018784][ T9041] &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh [ 73.018784][ T9041] [ 73.033084][ T9041] Possible interrupt unsafe locking scenario: [ 73.033084][ T9041] [ 73.041392][ T9041] CPU0 CPU1 [ 73.046763][ T9041] ---- ---- [ 73.052124][ T9041] lock(&ctx->fault_pending_wqh); [ 73.057218][ T9041] local_irq_disable(); [ 73.063949][ T9041] lock(&(&ctx->ctx_lock)->rlock); [ 73.071650][ T9041] lock(&ctx->fd_wqh); [ 73.078295][ T9041] [ 73.081726][ T9041] lock(&(&ctx->ctx_lock)->rlock); [ 73.087066][ T9041] [ 73.087066][ T9041] *** DEADLOCK *** [ 73.087066][ T9041] [ 73.095279][ T9041] no locks held by syz-executor014/9041. [ 73.100877][ T9041] [ 73.100877][ T9041] the shortest dependencies between 2nd lock and 1st lock: [ 73.110254][ T9041] -> (&(&ctx->ctx_lock)->rlock){..-.} { [ 73.115959][ T9041] IN-SOFTIRQ-W at: [ 73.120097][ T9041] lock_acquire+0x190/0x410 [ 73.126580][ T9041] _raw_spin_lock_irq+0x60/0x80 [ 73.133413][ T9041] free_ioctx_users+0x2d/0x490 [ 73.140172][ T9041] percpu_ref_switch_to_atomic_rcu+0x4c0/0x570 [ 73.148468][ T9041] rcu_core+0x67f/0x1580 [ 73.154873][ T9041] rcu_core_si+0x9/0x10 [ 73.161377][ T9041] __do_softirq+0x262/0x98c [ 73.168232][ T9041] irq_exit+0x19b/0x1e0 [ 73.174380][ T9041] smp_apic_timer_interrupt+0x1a3/0x610 [ 73.181908][ T9041] apic_timer_interrupt+0xf/0x20 [ 73.188818][ T9041] native_safe_halt+0xe/0x10 [ 73.195379][ T9041] arch_cpu_idle+0xa/0x10 [ 73.201690][ T9041] default_idle_call+0x84/0xb0 [ 73.208459][ T9041] do_idle+0x413/0x760 [ 73.214513][ T9041] cpu_startup_entry+0x1b/0x20 [ 73.221290][ T9041] rest_init+0x245/0x37b [ 73.227531][ T9041] arch_call_rest_init+0xe/0x1b [ 73.234749][ T9041] start_kernel+0x8de/0x91d [ 73.241713][ T9041] x86_64_start_reservations+0x29/0x2b [ 73.251076][ T9041] x86_64_start_kernel+0x77/0x7b [ 73.258726][ T9041] secondary_startup_64+0xa4/0xb0 [ 73.265729][ T9041] INITIAL USE at: [ 73.269788][ T9041] lock_acquire+0x190/0x410 [ 73.276281][ T9041] _raw_spin_lock_irq+0x60/0x80 [ 73.283028][ T9041] io_submit_one+0xeb5/0x2ef0 [ 73.289598][ T9041] __x64_sys_io_submit+0x1bd/0x570 [ 73.296623][ T9041] do_syscall_64+0xfd/0x6a0 [ 73.303016][ T9041] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 73.310790][ T9041] } [ 73.313457][ T9041] ... key at: [] __key.53687+0x0/0x40 [ 73.321052][ T9041] ... acquired at: [ 73.325057][ T9041] _raw_spin_lock+0x2f/0x40 [ 73.329722][ T9041] io_submit_one+0xefa/0x2ef0 [ 73.334690][ T9041] __x64_sys_io_submit+0x1bd/0x570 [ 73.342385][ T9041] do_syscall_64+0xfd/0x6a0 [ 73.357243][ T9041] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 73.363548][ T9041] [ 73.365867][ T9041] -> (&ctx->fd_wqh){....} { [ 73.370460][ T9041] INITIAL USE at: [ 73.374445][ T9041] lock_acquire+0x190/0x410 [ 73.380678][ T9041] _raw_spin_lock_irq+0x60/0x80 [ 73.387254][ T9041] userfaultfd_read+0x27a/0x1950 [ 73.393923][ T9041] __vfs_read+0x8a/0x110 [ 73.399882][ T9041] vfs_read+0x1f0/0x440 [ 73.405748][ T9041] ksys_read+0x14f/0x290 [ 73.411719][ T9041] __x64_sys_read+0x73/0xb0 [ 73.417946][ T9041] do_syscall_64+0xfd/0x6a0 [ 73.424178][ T9041] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 73.431797][ T9041] } [ 73.434402][ T9041] ... key at: [] __key.46407+0x0/0x40 [ 73.450657][ T9041] ... acquired at: [ 73.454752][ T9041] _raw_spin_lock+0x2f/0x40 [ 73.459407][ T9041] userfaultfd_read+0x54d/0x1950 [ 73.464527][ T9041] __vfs_read+0x8a/0x110 [ 73.468932][ T9041] vfs_read+0x1f0/0x440 [ 73.473255][ T9041] ksys_read+0x14f/0x290 [ 73.477644][ T9041] __x64_sys_read+0x73/0xb0 [ 73.482312][ T9041] do_syscall_64+0xfd/0x6a0 [ 73.486976][ T9041] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 73.493008][ T9041] [ 73.495312][ T9041] -> (&ctx->fault_pending_wqh){+.+.} { [ 73.500761][ T9041] HARDIRQ-ON-W at: [ 73.504731][ T9041] lock_acquire+0x190/0x410 [ 73.510858][ T9041] _raw_spin_lock+0x2f/0x40 [ 73.516984][ T9041] userfaultfd_release+0x4ca/0x710 [ 73.523716][ T9041] __fput+0x2ff/0x890 [ 73.529324][ T9041] ____fput+0x16/0x20 [ 73.544395][ T9041] task_work_run+0x145/0x1c0 [ 73.555415][ T9041] do_exit+0x904/0x2eb0 [ 73.561556][ T9041] do_group_exit+0x135/0x360 [ 73.567779][ T9041] get_signal+0x47c/0x2500 [ 73.573846][ T9041] do_signal+0x87/0x1700 [ 73.579718][ T9041] exit_to_usermode_loop+0x251/0x2d0 [ 73.586632][ T9041] do_syscall_64+0x5a9/0x6a0 [ 73.592874][ T9041] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 73.600394][ T9041] SOFTIRQ-ON-W at: [ 73.604373][ T9041] lock_acquire+0x190/0x410 [ 73.610523][ T9041] _raw_spin_lock+0x2f/0x40 [ 73.616674][ T9041] userfaultfd_release+0x4ca/0x710 [ 73.623442][ T9041] __fput+0x2ff/0x890 [ 73.629047][ T9041] ____fput+0x16/0x20 [ 73.634690][ T9041] task_work_run+0x145/0x1c0 [ 73.641231][ T9041] do_exit+0x904/0x2eb0 [ 73.647139][ T9041] do_group_exit+0x135/0x360 [ 73.653803][ T9041] get_signal+0x47c/0x2500 [ 73.660662][ T9041] do_signal+0x87/0x1700 [ 73.666558][ T9041] exit_to_usermode_loop+0x251/0x2d0 [ 73.673485][ T9041] do_syscall_64+0x5a9/0x6a0 [ 73.679702][ T9041] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 73.687232][ T9041] INITIAL USE at: [ 73.691218][ T9041] lock_acquire+0x190/0x410 [ 73.697269][ T9041] _raw_spin_lock+0x2f/0x40 [ 73.703308][ T9041] userfaultfd_read+0x54d/0x1950 [ 73.709788][ T9041] __vfs_read+0x8a/0x110 [ 73.715585][ T9041] vfs_read+0x1f0/0x440 [ 73.721301][ T9041] ksys_read+0x14f/0x290 [ 73.727111][ T9041] __x64_sys_read+0x73/0xb0 [ 73.733163][ T9041] do_syscall_64+0xfd/0x6a0 [ 73.740676][ T9041] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 73.748112][ T9041] } [ 73.750617][ T9041] ... key at: [] __key.46404+0x0/0x40 [ 73.758135][ T9041] ... acquired at: [ 73.761932][ T9041] mark_lock+0x4fa/0x11e0 [ 73.766436][ T9041] __lock_acquire+0x13f7/0x4680 [ 73.771467][ T9041] lock_acquire+0x190/0x410 [ 73.776124][ T9041] _raw_spin_lock+0x2f/0x40 [ 73.780801][ T9041] userfaultfd_release+0x4ca/0x710 [ 73.786078][ T9041] __fput+0x2ff/0x890 [ 73.790216][ T9041] ____fput+0x16/0x20 [ 73.794348][ T9041] task_work_run+0x145/0x1c0 [ 73.799086][ T9041] do_exit+0x904/0x2eb0 [ 73.803388][ T9041] do_group_exit+0x135/0x360 [ 73.808215][ T9041] get_signal+0x47c/0x2500 [ 73.812789][ T9041] do_signal+0x87/0x1700 [ 73.817218][ T9041] exit_to_usermode_loop+0x251/0x2d0 [ 73.822654][ T9041] do_syscall_64+0x5a9/0x6a0 [ 73.827394][ T9041] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 73.833445][ T9041] [ 73.835765][ T9041] [ 73.835765][ T9041] stack backtrace: [ 73.841644][ T9041] CPU: 0 PID: 9041 Comm: syz-executor014 Not tainted 5.2.0-rc6-next-20190625 #22 [ 73.850903][ T9041] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 73.861041][ T9041] Call Trace: [ 73.864320][ T9041] dump_stack+0x172/0x1f0 [ 73.868650][ T9041] print_irq_inversion_bug.part.0+0x2c5/0x2d2 [ 73.874704][ T9041] check_usage_backwards.cold+0x1d/0x26 [ 73.880225][ T9041] ? print_shortest_lock_dependencies+0x90/0x90 [ 73.886474][ T9041] ? stack_trace_save+0xac/0xe0 [ 73.891306][ T9041] ? stack_trace_consume_entry+0x190/0x190 [ 73.897087][ T9041] ? __lockdep_reset_lock+0x450/0x450 [ 73.902458][ T9041] mark_lock+0x4fa/0x11e0 [ 73.906769][ T9041] ? print_shortest_lock_dependencies+0x90/0x90 [ 73.912981][ T9041] __lock_acquire+0x13f7/0x4680 [ 73.917804][ T9041] ? trace_hardirqs_off+0x62/0x240 [ 73.922913][ T9041] ? kasan_check_read+0x11/0x20 [ 73.927745][ T9041] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 73.933551][ T9041] ? mark_held_locks+0xf0/0xf0 [ 73.938302][ T9041] ? kasan_check_read+0x11/0x20 [ 73.943244][ T9041] lock_acquire+0x190/0x410 [ 73.947728][ T9041] ? userfaultfd_release+0x4ca/0x710 [ 73.954455][ T9041] _raw_spin_lock+0x2f/0x40 [ 73.958950][ T9041] ? userfaultfd_release+0x4ca/0x710 [ 73.964207][ T9041] userfaultfd_release+0x4ca/0x710 [ 73.969298][ T9041] ? userfaultfd_event_wait_completion+0xa70/0xa70 [ 73.975793][ T9041] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 73.982011][ T9041] ? ima_file_free+0xc9/0x430 [ 73.986662][ T9041] __fput+0x2ff/0x890 [ 73.990626][ T9041] ? userfaultfd_event_wait_completion+0xa70/0xa70 [ 73.997101][ T9041] ____fput+0x16/0x20 [ 74.001063][ T9041] task_work_run+0x145/0x1c0 [ 74.005631][ T9041] do_exit+0x904/0x2eb0 [ 74.009761][ T9041] ? mm_update_next_owner+0x640/0x640 [ 74.015212][ T9041] ? lock_downgrade+0x920/0x920 [ 74.020042][ T9041] ? _raw_spin_unlock_irq+0x28/0x90 [ 74.025328][ T9041] ? get_signal+0x392/0x2500 [ 74.029922][ T9041] ? _raw_spin_unlock_irq+0x28/0x90 [ 74.035111][ T9041] do_group_exit+0x135/0x360 [ 74.039687][ T9041] get_signal+0x47c/0x2500 [ 74.044143][ T9041] ? __x64_sys_io_submit+0x31f/0x570 [ 74.049449][ T9041] ? find_held_lock+0x35/0x130 [ 74.054210][ T9041] ? __x64_sys_io_submit+0x31f/0x570 [ 74.059483][ T9041] do_signal+0x87/0x1700 [ 74.063708][ T9041] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 74.069936][ T9041] ? kasan_check_read+0x11/0x20 [ 74.074764][ T9041] ? setup_sigcontext+0x7d0/0x7d0 [ 74.079788][ T9041] ? exit_to_usermode_loop+0x43/0x2d0 [ 74.085153][ T9041] ? do_syscall_64+0x5a9/0x6a0 [ 74.089921][ T9041] ? exit_to_usermode_loop+0x43/0x2d0 [ 74.095279][ T9041] ? lockdep_hardirqs_on+0x418/0x5d0 [ 74.100548][ T9041] ? trace_hardirqs_on+0x67/0x240 [ 74.105547][ T9041] exit_to_usermode_loop+0x251/0x2d0 [ 74.110811][ T9041] do_syscall_64+0x5a9/0x6a0 [ 74.115377][ T9041] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 74.121242][ T9041] RIP: 0033:0x4458f9 [ 74.125132][ T9041] Code: Bad RIP value. [ 74.129172][ T9041] RSP: 002b:00007fac72668db8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 74.137568][ T9041] RAX: fffffffffffffe00 RBX: 00000000006dac58 RCX: 00000000004458f9 [ 74.145634][ T9041] RDX: 0000000000000000 RSI: 0