[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 33.575069] kauditd_printk_skb: 8 callbacks suppressed [ 33.575077] audit: type=1800 audit(1549703220.337:29): pid=7237 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 33.604584] audit: type=1800 audit(1549703220.337:30): pid=7237 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.136' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 44.204159] [ 44.205906] ======================================================== [ 44.212719] WARNING: possible irq lock inversion dependency detected [ 44.219182] 5.0.0-rc5+ #64 Not tainted [ 44.223038] -------------------------------------------------------- [ 44.229497] syz-executor181/7391 just changed the state of lock: [ 44.235614] 00000000c5b3579f (&ctx->fault_pending_wqh){+.+.}, at: userfaultfd_release+0x497/0x6d0 [ 44.244766] but this lock was taken by another, SOFTIRQ-safe lock in the past: [ 44.252247] (&(&ctx->ctx_lock)->rlock){..-.} [ 44.252252] [ 44.252252] [ 44.252252] and interrupts could create inverse lock ordering between them. [ 44.252252] [ 44.268327] [ 44.268327] other info that might help us debug this: [ 44.274971] Chain exists of: [ 44.274971] &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh [ 44.274971] [ 44.287209] Possible interrupt unsafe locking scenario: [ 44.287209] [ 44.294401] CPU0 CPU1 [ 44.299039] ---- ---- [ 44.303674] lock(&ctx->fault_pending_wqh); [ 44.308066] local_irq_disable(); [ 44.314093] lock(&(&ctx->ctx_lock)->rlock); [ 44.321079] lock(&ctx->fd_wqh); [ 44.327021] [ 44.329743] lock(&(&ctx->ctx_lock)->rlock); [ 44.334377] [ 44.334377] *** DEADLOCK *** [ 44.334377] [ 44.340404] no locks held by syz-executor181/7391. [ 44.345307] [ 44.345307] the shortest dependencies between 2nd lock and 1st lock: [ 44.353263] -> (&(&ctx->ctx_lock)->rlock){..-.} { [ 44.358250] IN-SOFTIRQ-W at: [ 44.361680] lock_acquire+0x16f/0x3f0 [ 44.367451] _raw_spin_lock_irq+0x60/0x80 [ 44.373573] free_ioctx_users+0x2d/0x4a0 [ 44.379606] percpu_ref_switch_to_atomic_rcu+0x3e7/0x520 [ 44.387025] rcu_process_callbacks+0x928/0x1390 [ 44.393659] __do_softirq+0x266/0x95a [ 44.399430] irq_exit+0x180/0x1d0 [ 44.404882] smp_apic_timer_interrupt+0x14a/0x570 [ 44.411833] apic_timer_interrupt+0xf/0x20 [ 44.418056] native_safe_halt+0x2/0x10 [ 44.423913] arch_cpu_idle+0x10/0x20 [ 44.429592] default_idle_call+0x36/0x90 [ 44.435634] do_idle+0x386/0x570 [ 44.441238] cpu_startup_entry+0x1b/0x20 [ 44.447274] rest_init+0x245/0x37b [ 44.452786] arch_call_rest_init+0xe/0x1b [ 44.458914] start_kernel+0x808/0x841 [ 44.464684] x86_64_start_reservations+0x29/0x2b [ 44.471412] x86_64_start_kernel+0x77/0x7b [ 44.477751] secondary_startup_64+0xa4/0xb0 [ 44.484039] INITIAL USE at: [ 44.487381] lock_acquire+0x16f/0x3f0 [ 44.493062] _raw_spin_lock_irq+0x60/0x80 [ 44.499090] io_submit_one+0xeb6/0x1cf0 [ 44.504946] __x64_sys_io_submit+0x1bd/0x580 [ 44.511317] do_syscall_64+0x103/0x610 [ 44.517085] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 44.524153] } [ 44.526280] ... key at: [] __key.51970+0x0/0x40 [ 44.533173] ... acquired at: [ 44.536422] _raw_spin_lock+0x2f/0x40 [ 44.540367] io_submit_one+0xedf/0x1cf0 [ 44.544487] __x64_sys_io_submit+0x1bd/0x580 [ 44.549047] do_syscall_64+0x103/0x610 [ 44.553080] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 44.558409] [ 44.560004] -> (&ctx->fd_wqh){....} { [ 44.563862] INITIAL USE at: [ 44.567114] lock_acquire+0x16f/0x3f0 [ 44.572628] _raw_spin_lock_irq+0x60/0x80 [ 44.578488] userfaultfd_read+0x27a/0x1940 [ 44.584434] __vfs_read+0x116/0x8c0 [ 44.589765] vfs_read+0x194/0x3e0 [ 44.594925] ksys_read+0xea/0x1f0 [ 44.600086] __x64_sys_read+0x73/0xb0 [ 44.605592] do_syscall_64+0x103/0x610 [ 44.611186] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 44.618081] } [ 44.619947] ... key at: [] __key.44852+0x0/0x40 [ 44.626752] ... acquired at: [ 44.629914] _raw_spin_lock+0x2f/0x40 [ 44.633861] userfaultfd_read+0x540/0x1940 [ 44.638237] __vfs_read+0x116/0x8c0 [ 44.642009] vfs_read+0x194/0x3e0 [ 44.645737] ksys_read+0xea/0x1f0 [ 44.649340] __x64_sys_read+0x73/0xb0 [ 44.653283] do_syscall_64+0x103/0x610 [ 44.657317] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 44.662651] [ 44.664264] -> (&ctx->fault_pending_wqh){+.+.} { [ 44.668990] HARDIRQ-ON-W at: [ 44.672241] lock_acquire+0x16f/0x3f0 [ 44.677667] _raw_spin_lock+0x2f/0x40 [ 44.683088] userfaultfd_release+0x497/0x6d0 [ 44.689116] __fput+0x2df/0x8d0 [ 44.694014] ____fput+0x16/0x20 [ 44.698912] task_work_run+0x14a/0x1c0 [ 44.704420] do_exit+0x92c/0x2fd0 [ 44.709494] do_group_exit+0x135/0x370 [ 44.715000] get_signal+0x35c/0x1d60 [ 44.720337] do_signal+0x87/0x1940 [ 44.725495] exit_to_usermode_loop+0x244/0x2c0 [ 44.731697] do_syscall_64+0x52d/0x610 [ 44.737305] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 44.744120] SOFTIRQ-ON-W at: [ 44.747379] lock_acquire+0x16f/0x3f0 [ 44.752801] _raw_spin_lock+0x2f/0x40 [ 44.758310] userfaultfd_release+0x497/0x6d0 [ 44.764343] __fput+0x2df/0x8d0 [ 44.769244] ____fput+0x16/0x20 [ 44.774143] task_work_run+0x14a/0x1c0 [ 44.779853] do_exit+0x92c/0x2fd0 [ 44.785123] do_group_exit+0x135/0x370 [ 44.790633] get_signal+0x35c/0x1d60 [ 44.795971] do_signal+0x87/0x1940 [ 44.801132] exit_to_usermode_loop+0x244/0x2c0 [ 44.807338] do_syscall_64+0x52d/0x610 [ 44.813002] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 44.819900] INITIAL USE at: [ 44.823073] lock_acquire+0x16f/0x3f0 [ 44.828791] _raw_spin_lock+0x2f/0x40 [ 44.834174] userfaultfd_read+0x540/0x1940 [ 44.839949] __vfs_read+0x116/0x8c0 [ 44.845108] vfs_read+0x194/0x3e0 [ 44.850093] ksys_read+0xea/0x1f0 [ 44.855081] __x64_sys_read+0x73/0xb0 [ 44.860433] do_syscall_64+0x103/0x610 [ 44.865859] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 44.872579] } [ 44.874358] ... key at: [] __key.44849+0x0/0x40 [ 44.881087] ... acquired at: [ 44.884231] mark_lock+0x427/0x1380 [ 44.888023] __lock_acquire+0xca5/0x4700 [ 44.892227] lock_acquire+0x16f/0x3f0 [ 44.896173] _raw_spin_lock+0x2f/0x40 [ 44.900137] userfaultfd_release+0x497/0x6d0 [ 44.904695] __fput+0x2df/0x8d0 [ 44.908120] ____fput+0x16/0x20 [ 44.911653] task_work_run+0x14a/0x1c0 [ 44.915691] do_exit+0x92c/0x2fd0 [ 44.919307] do_group_exit+0x135/0x370 [ 44.923351] get_signal+0x35c/0x1d60 [ 44.927212] do_signal+0x87/0x1940 [ 44.930908] exit_to_usermode_loop+0x244/0x2c0 [ 44.935637] do_syscall_64+0x52d/0x610 [ 44.939681] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 44.945013] [ 44.946617] [ 44.946617] stack backtrace: [ 44.951093] CPU: 0 PID: 7391 Comm: syz-executor181 Not tainted 5.0.0-rc5+ #64 [ 44.958339] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.967673] Call Trace: [ 44.970242] dump_stack+0x172/0x1f0 [ 44.973851] print_irq_inversion_bug.part.0+0x2c0/0x2cd [ 44.979193] check_usage_backwards.cold+0x1d/0x26 [ 44.984020] ? print_shortest_lock_dependencies+0x90/0x90 [ 44.989596] ? save_stack_trace+0x1a/0x20 [ 44.993738] ? save_trace+0xe0/0x290 [ 44.997572] mark_lock+0x427/0x1380 [ 45.001176] ? print_shortest_lock_dependencies+0x90/0x90 [ 45.006689] __lock_acquire+0xca5/0x4700 [ 45.010736] ? depot_save_stack+0x1de/0x460 [ 45.015034] ? kasan_check_read+0x11/0x20 [ 45.019160] ? mark_held_locks+0x100/0x100 [ 45.023384] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 45.028468] ? depot_save_stack+0x1de/0x460 [ 45.032770] ? __lock_acquire+0x53b/0x4700 [ 45.036999] ? __lock_acquire+0x53b/0x4700 [ 45.041224] ? free_fs_struct+0x4f/0x70 [ 45.045191] ? do_exit+0x902/0x2fd0 [ 45.048794] lock_acquire+0x16f/0x3f0 [ 45.052599] ? userfaultfd_release+0x497/0x6d0 [ 45.057164] _raw_spin_lock+0x2f/0x40 [ 45.060942] ? userfaultfd_release+0x497/0x6d0 [ 45.065497] userfaultfd_release+0x497/0x6d0 [ 45.069881] ? userfaultfd_event_wait_completion+0xa50/0xa50 [ 45.075746] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 45.081258] ? ima_file_free+0xc9/0x4a0 [ 45.085206] ? __might_sleep+0x95/0x190 [ 45.089151] ? userfaultfd_event_wait_completion+0xa50/0xa50 [ 45.094921] __fput+0x2df/0x8d0 [ 45.098179] ____fput+0x16/0x20 [ 45.101453] task_work_run+0x14a/0x1c0 [ 45.105331] do_exit+0x92c/0x2fd0 [ 45.108761] ? get_signal+0x2f2/0x1d60 [ 45.112635] ? mm_update_next_owner+0x660/0x660 [ 45.117283] ? kasan_check_read+0x11/0x20 [ 45.121552] ? _raw_spin_unlock_irq+0x28/0x90 [ 45.126369] ? get_signal+0x2f2/0x1d60 [ 45.130229] ? _raw_spin_unlock_irq+0x28/0x90 [ 45.134696] do_group_exit+0x135/0x370 [ 45.138560] get_signal+0x35c/0x1d60 [ 45.142250] ? __x64_sys_io_submit+0x31f/0x580 [ 45.146812] do_signal+0x87/0x1940 [ 45.150409] ? lock_downgrade+0x810/0x810 [ 45.154546] ? kasan_check_read+0x11/0x20 [ 45.158831] ? setup_sigcontext+0x7d0/0x7d0 [ 45.163137] ? exit_to_usermode_loop+0x43/0x2c0 [ 45.167781] ? do_syscall_64+0x52d/0x610 [ 45.171814] ? exit_to_usermode_loop+0x43/0x2c0 [ 45.176454] ? lockdep_hardirqs_on+0x415/0x5d0 [ 45.181007] ? trace_hardirqs_on+0x67/0x230 [ 45.185303] exit_to_usermode_loop+0x244/0x2c0 [ 45.189856] do_syscall_64+0x52d/0x610 [ 45.193810] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 45.198971] RIP: 0033:0x4457a9 [ 45.202140] Code: Bad RIP value. [ 45.205476] RSP: 002b:00007fefa9