[ 62.917688][ T26] audit: type=1800 audit(1560717959.246:25): pid=8995 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 62.960546][ T26] audit: type=1800 audit(1560717959.256:26): pid=8995 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 63.007761][ T26] audit: type=1800 audit(1560717959.256:27): pid=8995 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] startpar: service(s) returned failure: ssh ...[?25l[?1c7[FAIL8[?25h[?0c failed! Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.1.53' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 74.101501][ T9174] [ 74.103860][ T9174] ======================================================== [ 74.111028][ T9174] WARNING: possible irq lock inversion dependency detected [ 74.118216][ T9174] 5.2.0-rc4+ #52 Not tainted [ 74.122817][ T9174] -------------------------------------------------------- [ 74.130015][ T9174] syz-executor579/9174 just changed the state of lock: [ 74.136841][ T9174] 00000000246c5577 (&ctx->fault_pending_wqh){+.+.}, at: userfaultfd_release+0x4ca/0x710 [ 74.146647][ T9174] but this lock was taken by another, SOFTIRQ-safe lock in the past: [ 74.154704][ T9174] (&(&ctx->ctx_lock)->rlock){..-.} [ 74.154712][ T9174] [ 74.154712][ T9174] [ 74.154712][ T9174] and interrupts could create inverse lock ordering between them. [ 74.154712][ T9174] [ 74.174360][ T9174] [ 74.174360][ T9174] other info that might help us debug this: [ 74.182419][ T9174] Chain exists of: [ 74.182419][ T9174] &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh [ 74.182419][ T9174] [ 74.196757][ T9174] Possible interrupt unsafe locking scenario: [ 74.196757][ T9174] [ 74.205169][ T9174] CPU0 CPU1 [ 74.210522][ T9174] ---- ---- [ 74.215888][ T9174] lock(&ctx->fault_pending_wqh); [ 74.221512][ T9174] local_irq_disable(); [ 74.228411][ T9174] lock(&(&ctx->ctx_lock)->rlock); [ 74.236114][ T9174] lock(&ctx->fd_wqh); [ 74.242774][ T9174] [ 74.246256][ T9174] lock(&(&ctx->ctx_lock)->rlock); [ 74.251618][ T9174] [ 74.251618][ T9174] *** DEADLOCK *** [ 74.251618][ T9174] [ 74.259751][ T9174] no locks held by syz-executor579/9174. [ 74.265359][ T9174] [ 74.265359][ T9174] the shortest dependencies between 2nd lock and 1st lock: [ 74.274989][ T9174] -> (&(&ctx->ctx_lock)->rlock){..-.} { [ 74.280727][ T9174] IN-SOFTIRQ-W at: [ 74.285047][ T9174] lock_acquire+0x16f/0x3f0 [ 74.291550][ T9174] _raw_spin_lock_irq+0x60/0x80 [ 74.298906][ T9174] free_ioctx_users+0x2d/0x490 [ 74.305839][ T9174] percpu_ref_switch_to_atomic_rcu+0x407/0x540 [ 74.314420][ T9174] rcu_core+0xba5/0x1500 [ 74.320789][ T9174] __do_softirq+0x25c/0x94c [ 74.327296][ T9174] irq_exit+0x180/0x1d0 [ 74.333654][ T9174] smp_apic_timer_interrupt+0x13b/0x550 [ 74.341212][ T9174] apic_timer_interrupt+0xf/0x20 [ 74.348146][ T9174] native_safe_halt+0xe/0x10 [ 74.354818][ T9174] arch_cpu_idle+0xa/0x10 [ 74.361141][ T9174] default_idle_call+0x36/0x90 [ 74.368574][ T9174] do_idle+0x377/0x560 [ 74.374822][ T9174] cpu_startup_entry+0x1b/0x20 [ 74.381700][ T9174] rest_init+0x245/0x37b [ 74.396292][ T9174] arch_call_rest_init+0xe/0x1b [ 74.403222][ T9174] start_kernel+0x854/0x893 [ 74.409720][ T9174] x86_64_start_reservations+0x29/0x2b [ 74.424134][ T9174] x86_64_start_kernel+0x77/0x7b [ 74.431157][ T9174] secondary_startup_64+0xa4/0xb0 [ 74.438159][ T9174] INITIAL USE at: [ 74.442212][ T9174] lock_acquire+0x16f/0x3f0 [ 74.448815][ T9174] _raw_spin_lock_irq+0x60/0x80 [ 74.455563][ T9174] io_submit_one+0xeb5/0x2ef0 [ 74.462375][ T9174] __x64_sys_io_submit+0x1bd/0x570 [ 74.469398][ T9174] do_syscall_64+0xfd/0x680 [ 74.475984][ T9174] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 74.484122][ T9174] } [ 74.487263][ T9174] ... key at: [] __key.53427+0x0/0x40 [ 74.494873][ T9174] ... acquired at: [ 74.499037][ T9174] _raw_spin_lock+0x2f/0x40 [ 74.505206][ T9174] io_submit_one+0xefa/0x2ef0 [ 74.510040][ T9174] __x64_sys_io_submit+0x1bd/0x570 [ 74.515393][ T9174] do_syscall_64+0xfd/0x680 [ 74.520057][ T9174] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 74.526120][ T9174] [ 74.528492][ T9174] -> (&ctx->fd_wqh){....} { [ 74.534619][ T9174] INITIAL USE at: [ 74.538594][ T9174] lock_acquire+0x16f/0x3f0 [ 74.544826][ T9174] _raw_spin_lock_irq+0x60/0x80 [ 74.551407][ T9174] userfaultfd_read+0x27a/0x1940 [ 74.558176][ T9174] do_iter_read+0x4a4/0x660 [ 74.564401][ T9174] vfs_readv+0xf0/0x160 [ 74.570449][ T9174] do_readv+0x15b/0x330 [ 74.576340][ T9174] __x64_sys_readv+0x75/0xb0 [ 74.582651][ T9174] do_syscall_64+0xfd/0x680 [ 74.588884][ T9174] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 74.596496][ T9174] } [ 74.599075][ T9174] ... key at: [] __key.46103+0x0/0x40 [ 74.606594][ T9174] ... acquired at: [ 74.610473][ T9174] _raw_spin_lock+0x2f/0x40 [ 74.615136][ T9174] userfaultfd_read+0x540/0x1940 [ 74.620233][ T9174] do_iter_read+0x4a4/0x660 [ 74.624998][ T9174] vfs_readv+0xf0/0x160 [ 74.629309][ T9174] do_readv+0x15b/0x330 [ 74.633625][ T9174] __x64_sys_readv+0x75/0xb0 [ 74.638363][ T9174] do_syscall_64+0xfd/0x680 [ 74.643026][ T9174] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 74.649060][ T9174] [ 74.651363][ T9174] -> (&ctx->fault_pending_wqh){+.+.} { [ 74.656805][ T9174] HARDIRQ-ON-W at: [ 74.660854][ T9174] lock_acquire+0x16f/0x3f0 [ 74.667002][ T9174] _raw_spin_lock+0x2f/0x40 [ 74.673138][ T9174] userfaultfd_release+0x4ca/0x710 [ 74.679875][ T9174] __fput+0x2ff/0x890 [ 74.685482][ T9174] ____fput+0x16/0x20 [ 74.691093][ T9174] task_work_run+0x145/0x1c0 [ 74.697312][ T9174] do_exit+0x90a/0x2fa0 [ 74.703092][ T9174] do_group_exit+0x135/0x370 [ 74.709322][ T9174] get_signal+0x471/0x24b0 [ 74.715367][ T9174] do_signal+0x87/0x1900 [ 74.721243][ T9174] exit_to_usermode_loop+0x244/0x2c0 [ 74.728162][ T9174] do_syscall_64+0x58e/0x680 [ 74.734385][ T9174] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 74.741897][ T9174] SOFTIRQ-ON-W at: [ 74.745872][ T9174] lock_acquire+0x16f/0x3f0 [ 74.752002][ T9174] _raw_spin_lock+0x2f/0x40 [ 74.758131][ T9174] userfaultfd_release+0x4ca/0x710 [ 74.764867][ T9174] __fput+0x2ff/0x890 [ 74.770477][ T9174] ____fput+0x16/0x20 [ 74.776100][ T9174] task_work_run+0x145/0x1c0 [ 74.782338][ T9174] do_exit+0x90a/0x2fa0 [ 74.788217][ T9174] do_group_exit+0x135/0x370 [ 74.794432][ T9174] get_signal+0x471/0x24b0 [ 74.800476][ T9174] do_signal+0x87/0x1900 [ 74.806342][ T9174] exit_to_usermode_loop+0x244/0x2c0 [ 74.813275][ T9174] do_syscall_64+0x58e/0x680 [ 74.819495][ T9174] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 74.827014][ T9174] INITIAL USE at: [ 74.830940][ T9174] lock_acquire+0x16f/0x3f0 [ 74.837093][ T9174] _raw_spin_lock+0x2f/0x40 [ 74.843145][ T9174] userfaultfd_read+0x540/0x1940 [ 74.849629][ T9174] do_iter_read+0x4a4/0x660 [ 74.855686][ T9174] vfs_readv+0xf0/0x160 [ 74.861390][ T9174] do_readv+0x15b/0x330 [ 74.867086][ T9174] __x64_sys_readv+0x75/0xb0 [ 74.873223][ T9174] do_syscall_64+0xfd/0x680 [ 74.879272][ T9174] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 74.886712][ T9174] } [ 74.889201][ T9174] ... key at: [] __key.46100+0x0/0x40 [ 74.896632][ T9174] ... acquired at: [ 74.900420][ T9174] mark_lock+0x420/0x1370 [ 74.904897][ T9174] __lock_acquire+0x12df/0x5490 [ 74.909903][ T9174] lock_acquire+0x16f/0x3f0 [ 74.914585][ T9174] _raw_spin_lock+0x2f/0x40 [ 74.919256][ T9174] userfaultfd_release+0x4ca/0x710 [ 74.924532][ T9174] __fput+0x2ff/0x890 [ 74.928675][ T9174] ____fput+0x16/0x20 [ 74.932806][ T9174] task_work_run+0x145/0x1c0 [ 74.937574][ T9174] do_exit+0x90a/0x2fa0 [ 74.941889][ T9174] do_group_exit+0x135/0x370 [ 74.946652][ T9174] get_signal+0x471/0x24b0 [ 74.951246][ T9174] do_signal+0x87/0x1900 [ 74.955648][ T9174] exit_to_usermode_loop+0x244/0x2c0 [ 74.961084][ T9174] do_syscall_64+0x58e/0x680 [ 74.965841][ T9174] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 74.971877][ T9174] [ 74.974183][ T9174] [ 74.974183][ T9174] stack backtrace: [ 74.980177][ T9174] CPU: 0 PID: 9174 Comm: syz-executor579 Not tainted 5.2.0-rc4+ #52 [ 74.988144][ T9174] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 74.998450][ T9174] Call Trace: [ 75.002130][ T9174] dump_stack+0x172/0x1f0 [ 75.006538][ T9174] print_irq_inversion_bug.part.0+0x2c5/0x2d2 [ 75.014841][ T9174] check_usage_backwards.cold+0x1d/0x26 [ 75.020399][ T9174] ? print_shortest_lock_dependencies+0x90/0x90 [ 75.026649][ T9174] ? stack_trace_save+0xac/0xe0 [ 75.031481][ T9174] ? stack_trace_consume_entry+0x190/0x190 [ 75.037658][ T9174] ? kasan_check_write+0x14/0x20 [ 75.042746][ T9174] ? graph_lock+0x7b/0x200 [ 75.047428][ T9174] ? __lockdep_reset_lock+0x450/0x450 [ 75.053859][ T9174] mark_lock+0x420/0x1370 [ 75.058191][ T9174] ? print_shortest_lock_dependencies+0x90/0x90 [ 75.064422][ T9174] __lock_acquire+0x12df/0x5490 [ 75.069260][ T9174] ? kasan_check_write+0x14/0x20 [ 75.074181][ T9174] ? mark_held_locks+0xf0/0xf0 [ 75.078935][ T9174] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 75.084900][ T9174] ? stack_depot_save+0x25a/0x450 [ 75.089915][ T9174] lock_acquire+0x16f/0x3f0 [ 75.094501][ T9174] ? userfaultfd_release+0x4ca/0x710 [ 75.100477][ T9174] _raw_spin_lock+0x2f/0x40 [ 75.104966][ T9174] ? userfaultfd_release+0x4ca/0x710 [ 75.112122][ T9174] userfaultfd_release+0x4ca/0x710 [ 75.119183][ T9174] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 75.125480][ T9174] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 75.131733][ T9174] ? ima_file_free+0xc9/0x4a0 [ 75.137667][ T9174] __fput+0x2ff/0x890 [ 75.141644][ T9174] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 75.147449][ T9174] ____fput+0x16/0x20 [ 75.151452][ T9174] task_work_run+0x145/0x1c0 [ 75.156403][ T9174] do_exit+0x90a/0x2fa0 [ 75.160551][ T9174] ? get_signal+0x387/0x24b0 [ 75.165315][ T9174] ? mm_update_next_owner+0x640/0x640 [ 75.171164][ T9174] ? kasan_check_write+0x14/0x20 [ 75.176708][ T9174] ? _raw_spin_unlock_irq+0x28/0x90 [ 75.182002][ T9174] ? get_signal+0x387/0x24b0 [ 75.186575][ T9174] ? _raw_spin_unlock_irq+0x28/0x90 [ 75.191791][ T9174] do_group_exit+0x135/0x370 [ 75.196408][ T9174] get_signal+0x471/0x24b0 [ 75.201101][ T9174] ? exit_robust_list+0x2c0/0x2c0 [ 75.206163][ T9174] do_signal+0x87/0x1900 [ 75.210412][ T9174] ? lock_downgrade+0x880/0x880 [ 75.215267][ T9174] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 75.221487][ T9174] ? kasan_check_read+0x11/0x20 [ 75.226332][ T9174] ? setup_sigcontext+0x7d0/0x7d0 [ 75.231352][ T9174] ? exit_to_usermode_loop+0x43/0x2c0 [ 75.236714][ T9174] ? do_syscall_64+0x58e/0x680 [ 75.241460][ T9174] ? exit_to_usermode_loop+0x43/0x2c0 [ 75.246814][ T9174] ? lockdep_hardirqs_on+0x418/0x5d0 [ 75.252098][ T9174] ? trace_hardirqs_on+0x67/0x220 [ 75.257138][ T9174] exit_to_usermode_loop+0x244/0x2c0 [ 75.262405][ T9174] do_syscall_64+0x58e/0x680 [ 75.266972][ T9174] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 75.272854][ T9174] RIP: 0033:0x445919 [ 75.276747][ T9174] Code: Bad RIP value. [ 75.280786][ T9174] RSP: 002b:00007fbe95681db8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 75.289186][ T9174] RAX: fffffffffffffe00 RBX: 00000000006dac58 RCX: 0000000000445919 [ 75.297135][ T9174] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dac58 [ 75.305082][ T9174]