[ 40.490895][ T26] audit: type=1800 audit(1554311831.068:28): pid=7617 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 41.177019][ T26] audit: type=1800 audit(1554311831.848:29): pid=7617 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 41.198098][ T26] audit: type=1800 audit(1554311831.848:30): pid=7617 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 [....] startpar: service(s) returned failure: ssh ...[?25l[?1c7[FAIL8[?25h[?0c failed! Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.178' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 48.163758][ T7793] [ 48.166222][ T7793] ======================================================== [ 48.173388][ T7793] WARNING: possible irq lock inversion dependency detected [ 48.180571][ T7793] 5.1.0-rc3+ #50 Not tainted [ 48.185155][ T7793] -------------------------------------------------------- [ 48.192334][ T7793] syz-executor581/7793 just changed the state of lock: [ 48.199195][ T7793] 00000000eed4218b (&ctx->fault_pending_wqh){+.+.}, at: userfaultfd_release+0x48e/0x6d0 [ 48.208900][ T7793] but this lock was taken by another, SOFTIRQ-safe lock in the past: [ 48.216953][ T7793] (&(&ctx->ctx_lock)->rlock){..-.} [ 48.216961][ T7793] [ 48.216961][ T7793] [ 48.216961][ T7793] and interrupts could create inverse lock ordering between them. [ 48.216961][ T7793] [ 48.236523][ T7793] [ 48.236523][ T7793] other info that might help us debug this: [ 48.244569][ T7793] Chain exists of: [ 48.244569][ T7793] &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh [ 48.244569][ T7793] [ 48.258778][ T7793] Possible interrupt unsafe locking scenario: [ 48.258778][ T7793] [ 48.267096][ T7793] CPU0 CPU1 [ 48.272457][ T7793] ---- ---- [ 48.277814][ T7793] lock(&ctx->fault_pending_wqh); [ 48.282903][ T7793] local_irq_disable(); [ 48.289642][ T7793] lock(&(&ctx->ctx_lock)->rlock); [ 48.297377][ T7793] lock(&ctx->fd_wqh); [ 48.304048][ T7793] [ 48.307480][ T7793] lock(&(&ctx->ctx_lock)->rlock); [ 48.312848][ T7793] [ 48.312848][ T7793] *** DEADLOCK *** [ 48.312848][ T7793] [ 48.320972][ T7793] no locks held by syz-executor581/7793. [ 48.326572][ T7793] [ 48.326572][ T7793] the shortest dependencies between 2nd lock and 1st lock: [ 48.335915][ T7793] -> (&(&ctx->ctx_lock)->rlock){..-.} { [ 48.341616][ T7793] IN-SOFTIRQ-W at: [ 48.345755][ T7793] lock_acquire+0x16f/0x3f0 [ 48.352239][ T7793] _raw_spin_lock_irq+0x60/0x80 [ 48.359076][ T7793] free_ioctx_users+0x2d/0x4a0 [ 48.365817][ T7793] percpu_ref_switch_to_atomic_rcu+0x3e7/0x520 [ 48.373968][ T7793] rcu_core+0x928/0x1390 [ 48.380216][ T7793] __do_softirq+0x266/0x95a [ 48.386698][ T7793] irq_exit+0x180/0x1d0 [ 48.392833][ T7793] smp_apic_timer_interrupt+0x14a/0x570 [ 48.400358][ T7793] apic_timer_interrupt+0xf/0x20 [ 48.407271][ T7793] native_safe_halt+0x2/0x10 [ 48.413841][ T7793] arch_cpu_idle+0x10/0x20 [ 48.420228][ T7793] default_idle_call+0x36/0x90 [ 48.426963][ T7793] do_idle+0x386/0x570 [ 48.433004][ T7793] cpu_startup_entry+0x1b/0x20 [ 48.439741][ T7793] rest_init+0x245/0x37b [ 48.445959][ T7793] arch_call_rest_init+0xe/0x1b [ 48.452806][ T7793] start_kernel+0x816/0x84f [ 48.459310][ T7793] x86_64_start_reservations+0x29/0x2b [ 48.466841][ T7793] x86_64_start_kernel+0x77/0x7b [ 48.473754][ T7793] secondary_startup_64+0xa4/0xb0 [ 48.480742][ T7793] INITIAL USE at: [ 48.484787][ T7793] lock_acquire+0x16f/0x3f0 [ 48.491195][ T7793] _raw_spin_lock_irq+0x60/0x80 [ 48.497934][ T7793] io_submit_one+0xaec/0x2f90 [ 48.504515][ T7793] __x64_sys_io_submit+0x1bd/0x580 [ 48.511527][ T7793] do_syscall_64+0x103/0x610 [ 48.518053][ T7793] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 48.525827][ T7793] } [ 48.528483][ T7793] ... key at: [] __key.52649+0x0/0x40 [ 48.536081][ T7793] ... acquired at: [ 48.540058][ T7793] lock_acquire+0x16f/0x3f0 [ 48.544737][ T7793] _raw_spin_lock+0x2f/0x40 [ 48.549401][ T7793] io_submit_one+0xb31/0x2f90 [ 48.554246][ T7793] __x64_sys_io_submit+0x1bd/0x580 [ 48.559508][ T7793] do_syscall_64+0x103/0x610 [ 48.564244][ T7793] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 48.570284][ T7793] [ 48.572587][ T7793] -> (&ctx->fd_wqh){....} { [ 48.577151][ T7793] INITIAL USE at: [ 48.581111][ T7793] lock_acquire+0x16f/0x3f0 [ 48.587325][ T7793] _raw_spin_lock_irq+0x60/0x80 [ 48.593887][ T7793] userfaultfd_read+0x27a/0x1940 [ 48.600539][ T7793] __vfs_read+0x8d/0x110 [ 48.606496][ T7793] vfs_read+0x194/0x3e0 [ 48.612380][ T7793] ksys_read+0xea/0x1f0 [ 48.618270][ T7793] __x64_sys_read+0x73/0xb0 [ 48.624488][ T7793] do_syscall_64+0x103/0x610 [ 48.630789][ T7793] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 48.638390][ T7793] } [ 48.640960][ T7793] ... key at: [] __key.45459+0x0/0x40 [ 48.648651][ T7793] ... acquired at: [ 48.652525][ T7793] lock_acquire+0x16f/0x3f0 [ 48.657176][ T7793] _raw_spin_lock+0x2f/0x40 [ 48.661832][ T7793] userfaultfd_read+0x540/0x1940 [ 48.666918][ T7793] __vfs_read+0x8d/0x110 [ 48.671593][ T7793] vfs_read+0x194/0x3e0 [ 48.675897][ T7793] ksys_read+0xea/0x1f0 [ 48.680229][ T7793] __x64_sys_read+0x73/0xb0 [ 48.684881][ T7793] do_syscall_64+0x103/0x610 [ 48.689619][ T7793] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 48.695671][ T7793] [ 48.697968][ T7793] -> (&ctx->fault_pending_wqh){+.+.} { [ 48.703413][ T7793] HARDIRQ-ON-W at: [ 48.707376][ T7793] lock_acquire+0x16f/0x3f0 [ 48.713523][ T7793] _raw_spin_lock+0x2f/0x40 [ 48.719688][ T7793] userfaultfd_release+0x48e/0x6d0 [ 48.726445][ T7793] __fput+0x2e5/0x8d0 [ 48.732084][ T7793] ____fput+0x16/0x20 [ 48.737722][ T7793] task_work_run+0x14a/0x1c0 [ 48.743956][ T7793] do_exit+0x90a/0x2fa0 [ 48.749734][ T7793] do_group_exit+0x135/0x370 [ 48.755950][ T7793] get_signal+0x399/0x1d50 [ 48.761995][ T7793] do_signal+0x87/0x1940 [ 48.767879][ T7793] exit_to_usermode_loop+0x244/0x2c0 [ 48.774792][ T7793] do_syscall_64+0x52d/0x610 [ 48.781007][ T7793] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 48.788516][ T7793] SOFTIRQ-ON-W at: [ 48.792496][ T7793] lock_acquire+0x16f/0x3f0 [ 48.798627][ T7793] _raw_spin_lock+0x2f/0x40 [ 48.804769][ T7793] userfaultfd_release+0x48e/0x6d0 [ 48.811505][ T7793] __fput+0x2e5/0x8d0 [ 48.817113][ T7793] ____fput+0x16/0x20 [ 48.822720][ T7793] task_work_run+0x14a/0x1c0 [ 48.828933][ T7793] do_exit+0x90a/0x2fa0 [ 48.834711][ T7793] do_group_exit+0x135/0x370 [ 48.840928][ T7793] get_signal+0x399/0x1d50 [ 48.846986][ T7793] do_signal+0x87/0x1940 [ 48.852880][ T7793] exit_to_usermode_loop+0x244/0x2c0 [ 48.859789][ T7793] do_syscall_64+0x52d/0x610 [ 48.866030][ T7793] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 48.873543][ T7793] INITIAL USE at: [ 48.877440][ T7793] lock_acquire+0x16f/0x3f0 [ 48.883576][ T7793] _raw_spin_lock+0x2f/0x40 [ 48.889622][ T7793] userfaultfd_read+0x540/0x1940 [ 48.896134][ T7793] __vfs_read+0x8d/0x110 [ 48.901919][ T7793] vfs_read+0x194/0x3e0 [ 48.907627][ T7793] ksys_read+0xea/0x1f0 [ 48.913345][ T7793] __x64_sys_read+0x73/0xb0 [ 48.919408][ T7793] do_syscall_64+0x103/0x610 [ 48.925538][ T7793] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 48.932964][ T7793] } [ 48.935449][ T7793] ... key at: [] __key.45456+0x0/0x40 [ 48.942870][ T7793] ... acquired at: [ 48.946666][ T7793] mark_lock+0x427/0x1380 [ 48.951164][ T7793] __lock_acquire+0x1317/0x3fb0 [ 48.956167][ T7793] lock_acquire+0x16f/0x3f0 [ 48.960818][ T7793] _raw_spin_lock+0x2f/0x40 [ 48.965470][ T7793] userfaultfd_release+0x48e/0x6d0 [ 48.970728][ T7793] __fput+0x2e5/0x8d0 [ 48.974859][ T7793] ____fput+0x16/0x20 [ 48.978987][ T7793] task_work_run+0x14a/0x1c0 [ 48.983724][ T7793] do_exit+0x90a/0x2fa0 [ 48.988027][ T7793] do_group_exit+0x135/0x370 [ 48.992784][ T7793] get_signal+0x399/0x1d50 [ 48.997352][ T7793] do_signal+0x87/0x1940 [ 49.001745][ T7793] exit_to_usermode_loop+0x244/0x2c0 [ 49.007175][ T7793] do_syscall_64+0x52d/0x610 [ 49.011912][ T7793] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 49.017944][ T7793] [ 49.020245][ T7793] [ 49.020245][ T7793] stack backtrace: [ 49.026112][ T7793] CPU: 0 PID: 7793 Comm: syz-executor581 Not tainted 5.1.0-rc3+ #50 [ 49.034078][ T7793] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.044127][ T7793] Call Trace: [ 49.047423][ T7793] dump_stack+0x172/0x1f0 [ 49.051734][ T7793] print_irq_inversion_bug.part.0+0x2c0/0x2cd [ 49.057783][ T7793] check_usage_backwards.cold+0x1d/0x26 [ 49.063410][ T7793] ? print_shortest_lock_dependencies+0x90/0x90 [ 49.069662][ T7793] ? save_stack_trace+0x1a/0x20 [ 49.074515][ T7793] mark_lock+0x427/0x1380 [ 49.078825][ T7793] ? print_shortest_lock_dependencies+0x90/0x90 [ 49.085040][ T7793] __lock_acquire+0x1317/0x3fb0 [ 49.089868][ T7793] ? trace_hardirqs_off+0x62/0x220 [ 49.094974][ T7793] ? kasan_check_read+0x11/0x20 [ 49.099804][ T7793] ? mark_held_locks+0xf0/0xf0 [ 49.104561][ T7793] ? save_stack+0xa9/0xd0 [ 49.108867][ T7793] ? save_stack+0x45/0xd0 [ 49.113171][ T7793] ? __kasan_slab_free+0x102/0x150 [ 49.118272][ T7793] ? kasan_slab_free+0xe/0x10 [ 49.122922][ T7793] ? kmem_cache_free+0x86/0x260 [ 49.127745][ T7793] ? free_fs_struct+0x4f/0x70 [ 49.132397][ T7793] ? exit_fs+0xf0/0x130 [ 49.136527][ T7793] lock_acquire+0x16f/0x3f0 [ 49.141006][ T7793] ? userfaultfd_release+0x48e/0x6d0 [ 49.146265][ T7793] _raw_spin_lock+0x2f/0x40 [ 49.150743][ T7793] ? userfaultfd_release+0x48e/0x6d0 [ 49.156910][ T7793] userfaultfd_release+0x48e/0x6d0 [ 49.162006][ T7793] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 49.167798][ T7793] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 49.178191][ T7793] ? ima_file_free+0xc9/0x4a0 [ 49.182848][ T7793] ? __might_sleep+0x95/0x190 [ 49.187518][ T7793] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 49.193299][ T7793] __fput+0x2e5/0x8d0 [ 49.197258][ T7793] ____fput+0x16/0x20 [ 49.201216][ T7793] task_work_run+0x14a/0x1c0 [ 49.205781][ T7793] do_exit+0x90a/0x2fa0 [ 49.209918][ T7793] ? get_signal+0x331/0x1d50 [ 49.214484][ T7793] ? mm_update_next_owner+0x640/0x640 [ 49.219850][ T7793] ? kasan_check_write+0x14/0x20 [ 49.224764][ T7793] ? _raw_spin_unlock_irq+0x28/0x90 [ 49.229959][ T7793] ? get_signal+0x331/0x1d50 [ 49.234532][ T7793] ? _raw_spin_unlock_irq+0x28/0x90 [ 49.239708][ T7793] do_group_exit+0x135/0x370 [ 49.244290][ T7793] get_signal+0x399/0x1d50 [ 49.248691][ T7793] ? __x64_sys_io_submit+0x31f/0x580 [ 49.253954][ T7793] do_signal+0x87/0x1940 [ 49.258172][ T7793] ? lock_downgrade+0x880/0x880 [ 49.263007][ T7793] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 49.269236][ T7793] ? kasan_check_read+0x11/0x20 [ 49.274088][ T7793] ? setup_sigcontext+0x7d0/0x7d0 [ 49.279093][ T7793] ? exit_to_usermode_loop+0x43/0x2c0 [ 49.284440][ T7793] ? do_syscall_64+0x52d/0x610 [ 49.289195][ T7793] ? exit_to_usermode_loop+0x43/0x2c0 [ 49.294541][ T7793] ? lockdep_hardirqs_on+0x418/0x5d0 [ 49.299803][ T7793] ? trace_hardirqs_on+0x67/0x230 [ 49.304806][ T7793] exit_to_usermode_loop+0x244/0x2c0 [ 49.310089][ T7793] do_syscall_64+0x52d/0x610 [ 49.314663][ T7793] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 49.320530][ T7793] RIP: 0033:0x4458d9 [ 49.324408][ T7793] Code: Bad RIP value. [ 49.328451][ T7793] RSP: 002b:00007f80f6539db8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 49.336839][ T7793] RAX: fffffffffffffe00 RBX: 00000000006dac58 RCX: 00000000004458d9 [ 49.344784][ T7793] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dac58 [ 49.352732][ T7793] RBP: 00000000006dac50 R08: 0000000000000000 R09: 0000000000000000 [ 49.360694][ T7793] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac5c [