[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 37.959761][ T26] audit: type=1800 audit(1554224234.587:25): pid=7556 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 37.997337][ T26] audit: type=1800 audit(1554224234.587:26): pid=7556 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 38.024542][ T26] audit: type=1800 audit(1554224234.597:27): pid=7556 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.59' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 46.578250][ T7710] [ 46.580833][ T7710] ======================================================== [ 46.588414][ T7710] WARNING: possible irq lock inversion dependency detected [ 46.595706][ T7710] 5.1.0-rc3+ #47 Not tainted [ 46.600652][ T7710] -------------------------------------------------------- [ 46.608059][ T7710] syz-executor126/7710 just changed the state of lock: [ 46.615520][ T7710] 00000000f03b8957 (&ctx->fault_pending_wqh){+.+.}, at: userfaultfd_release+0x48e/0x6d0 [ 46.625432][ T7710] but this lock was taken by another, SOFTIRQ-safe lock in the past: [ 46.633651][ T7710] (&(&ctx->ctx_lock)->rlock){..-.} [ 46.633659][ T7710] [ 46.633659][ T7710] [ 46.633659][ T7710] and interrupts could create inverse lock ordering between them. [ 46.633659][ T7710] [ 46.653428][ T7710] [ 46.653428][ T7710] other info that might help us debug this: [ 46.661570][ T7710] Chain exists of: [ 46.661570][ T7710] &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh [ 46.661570][ T7710] [ 46.676512][ T7710] Possible interrupt unsafe locking scenario: [ 46.676512][ T7710] [ 46.686721][ T7710] CPU0 CPU1 [ 46.692252][ T7710] ---- ---- [ 46.697706][ T7710] lock(&ctx->fault_pending_wqh); [ 46.703792][ T7710] local_irq_disable(); [ 46.710652][ T7710] lock(&(&ctx->ctx_lock)->rlock); [ 46.718744][ T7710] lock(&ctx->fd_wqh); [ 46.725583][ T7710] [ 46.729137][ T7710] lock(&(&ctx->ctx_lock)->rlock); [ 46.735057][ T7710] [ 46.735057][ T7710] *** DEADLOCK *** [ 46.735057][ T7710] [ 46.743597][ T7710] no locks held by syz-executor126/7710. [ 46.749227][ T7710] [ 46.749227][ T7710] the shortest dependencies between 2nd lock and 1st lock: [ 46.759328][ T7710] -> (&(&ctx->ctx_lock)->rlock){..-.} { [ 46.765440][ T7710] IN-SOFTIRQ-W at: [ 46.769809][ T7710] lock_acquire+0x16f/0x3f0 [ 46.776508][ T7710] _raw_spin_lock_irq+0x60/0x80 [ 46.783435][ T7710] free_ioctx_users+0x2d/0x4a0 [ 46.790672][ T7710] percpu_ref_switch_to_atomic_rcu+0x3e7/0x520 [ 46.799027][ T7710] rcu_core+0x928/0x1390 [ 46.805408][ T7710] __do_softirq+0x266/0x95a [ 46.812090][ T7710] irq_exit+0x180/0x1d0 [ 46.818443][ T7710] smp_apic_timer_interrupt+0x14a/0x570 [ 46.826236][ T7710] apic_timer_interrupt+0xf/0x20 [ 46.833162][ T7710] native_safe_halt+0x2/0x10 [ 46.839745][ T7710] arch_cpu_idle+0x10/0x20 [ 46.846339][ T7710] default_idle_call+0x36/0x90 [ 46.853317][ T7710] do_idle+0x386/0x570 [ 46.859656][ T7710] cpu_startup_entry+0x1b/0x20 [ 46.866500][ T7710] rest_init+0x245/0x37b [ 46.872936][ T7710] arch_call_rest_init+0xe/0x1b [ 46.880528][ T7710] start_kernel+0x816/0x84f [ 46.887120][ T7710] x86_64_start_reservations+0x29/0x2b [ 46.894772][ T7710] x86_64_start_kernel+0x77/0x7b [ 46.901725][ T7710] secondary_startup_64+0xa4/0xb0 [ 46.908913][ T7710] INITIAL USE at: [ 46.913025][ T7710] lock_acquire+0x16f/0x3f0 [ 46.919668][ T7710] _raw_spin_lock_irq+0x60/0x80 [ 46.926607][ T7710] io_submit_one+0xaec/0x2f90 [ 46.933307][ T7710] __x64_sys_io_submit+0x1bd/0x580 [ 46.941087][ T7710] do_syscall_64+0x103/0x610 [ 46.948028][ T7710] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 46.957401][ T7710] } [ 46.960108][ T7710] ... key at: [] __key.52649+0x0/0x40 [ 46.967723][ T7710] ... acquired at: [ 46.972139][ T7710] lock_acquire+0x16f/0x3f0 [ 46.977145][ T7710] _raw_spin_lock+0x2f/0x40 [ 46.981822][ T7710] io_submit_one+0xb31/0x2f90 [ 46.986685][ T7710] __x64_sys_io_submit+0x1bd/0x580 [ 46.992243][ T7710] do_syscall_64+0x103/0x610 [ 46.997111][ T7710] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 47.003359][ T7710] [ 47.005699][ T7710] -> (&ctx->fd_wqh){....} { [ 47.010363][ T7710] INITIAL USE at: [ 47.014435][ T7710] lock_acquire+0x16f/0x3f0 [ 47.020990][ T7710] _raw_spin_lock_irq+0x60/0x80 [ 47.027865][ T7710] userfaultfd_read+0x27a/0x1940 [ 47.034622][ T7710] __vfs_read+0x8d/0x110 [ 47.040873][ T7710] vfs_read+0x194/0x3e0 [ 47.047040][ T7710] ksys_read+0xea/0x1f0 [ 47.052992][ T7710] __x64_sys_read+0x73/0xb0 [ 47.059666][ T7710] do_syscall_64+0x103/0x610 [ 47.066171][ T7710] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 47.073995][ T7710] } [ 47.076792][ T7710] ... key at: [] __key.45459+0x0/0x40 [ 47.084492][ T7710] ... acquired at: [ 47.089359][ T7710] lock_acquire+0x16f/0x3f0 [ 47.094191][ T7710] _raw_spin_lock+0x2f/0x40 [ 47.098991][ T7710] userfaultfd_read+0x540/0x1940 [ 47.104104][ T7710] __vfs_read+0x8d/0x110 [ 47.108756][ T7710] vfs_read+0x194/0x3e0 [ 47.113091][ T7710] ksys_read+0xea/0x1f0 [ 47.121531][ T7710] __x64_sys_read+0x73/0xb0 [ 47.126867][ T7710] do_syscall_64+0x103/0x610 [ 47.132120][ T7710] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 47.138361][ T7710] [ 47.140907][ T7710] -> (&ctx->fault_pending_wqh){+.+.} { [ 47.146433][ T7710] HARDIRQ-ON-W at: [ 47.150528][ T7710] lock_acquire+0x16f/0x3f0 [ 47.156865][ T7710] _raw_spin_lock+0x2f/0x40 [ 47.163015][ T7710] userfaultfd_release+0x48e/0x6d0 [ 47.169768][ T7710] __fput+0x2e5/0x8d0 [ 47.175647][ T7710] ____fput+0x16/0x20 [ 47.181298][ T7710] task_work_run+0x14a/0x1c0 [ 47.187702][ T7710] do_exit+0x90a/0x2fa0 [ 47.193497][ T7710] do_group_exit+0x135/0x370 [ 47.199993][ T7710] get_signal+0x399/0x1d50 [ 47.206318][ T7710] do_signal+0x87/0x1940 [ 47.212292][ T7710] exit_to_usermode_loop+0x244/0x2c0 [ 47.219430][ T7710] do_syscall_64+0x52d/0x610 [ 47.228147][ T7710] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 47.237305][ T7710] SOFTIRQ-ON-W at: [ 47.241391][ T7710] lock_acquire+0x16f/0x3f0 [ 47.247723][ T7710] _raw_spin_lock+0x2f/0x40 [ 47.254105][ T7710] userfaultfd_release+0x48e/0x6d0 [ 47.260863][ T7710] __fput+0x2e5/0x8d0 [ 47.266573][ T7710] ____fput+0x16/0x20 [ 47.273331][ T7710] task_work_run+0x14a/0x1c0 [ 47.279660][ T7710] do_exit+0x90a/0x2fa0 [ 47.285804][ T7710] do_group_exit+0x135/0x370 [ 47.292289][ T7710] get_signal+0x399/0x1d50 [ 47.298784][ T7710] do_signal+0x87/0x1940 [ 47.304677][ T7710] exit_to_usermode_loop+0x244/0x2c0 [ 47.312015][ T7710] do_syscall_64+0x52d/0x610 [ 47.318389][ T7710] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 47.326006][ T7710] INITIAL USE at: [ 47.329907][ T7710] lock_acquire+0x16f/0x3f0 [ 47.336632][ T7710] _raw_spin_lock+0x2f/0x40 [ 47.343449][ T7710] userfaultfd_read+0x540/0x1940 [ 47.350642][ T7710] __vfs_read+0x8d/0x110 [ 47.356968][ T7710] vfs_read+0x194/0x3e0 [ 47.363296][ T7710] ksys_read+0xea/0x1f0 [ 47.369109][ T7710] __x64_sys_read+0x73/0xb0 [ 47.375641][ T7710] do_syscall_64+0x103/0x610 [ 47.388449][ T7710] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 47.395890][ T7710] } [ 47.398396][ T7710] ... key at: [] __key.45456+0x0/0x40 [ 47.405966][ T7710] ... acquired at: [ 47.410208][ T7710] mark_lock+0x427/0x1380 [ 47.414834][ T7710] __lock_acquire+0x1317/0x3fb0 [ 47.419857][ T7710] lock_acquire+0x16f/0x3f0 [ 47.424611][ T7710] _raw_spin_lock+0x2f/0x40 [ 47.429491][ T7710] userfaultfd_release+0x48e/0x6d0 [ 47.435051][ T7710] __fput+0x2e5/0x8d0 [ 47.439442][ T7710] ____fput+0x16/0x20 [ 47.443691][ T7710] task_work_run+0x14a/0x1c0 [ 47.448469][ T7710] do_exit+0x90a/0x2fa0 [ 47.452795][ T7710] do_group_exit+0x135/0x370 [ 47.457557][ T7710] get_signal+0x399/0x1d50 [ 47.462315][ T7710] do_signal+0x87/0x1940 [ 47.466720][ T7710] exit_to_usermode_loop+0x244/0x2c0 [ 47.472259][ T7710] do_syscall_64+0x52d/0x610 [ 47.477328][ T7710] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 47.483823][ T7710] [ 47.486271][ T7710] [ 47.486271][ T7710] stack backtrace: [ 47.492398][ T7710] CPU: 0 PID: 7710 Comm: syz-executor126 Not tainted 5.1.0-rc3+ #47 [ 47.500754][ T7710] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 47.511424][ T7710] Call Trace: [ 47.515152][ T7710] dump_stack+0x172/0x1f0 [ 47.519504][ T7710] print_irq_inversion_bug.part.0+0x2c0/0x2cd [ 47.525661][ T7710] check_usage_backwards.cold+0x1d/0x26 [ 47.531336][ T7710] ? print_shortest_lock_dependencies+0x90/0x90 [ 47.537843][ T7710] ? save_stack_trace+0x1a/0x20 [ 47.543043][ T7710] mark_lock+0x427/0x1380 [ 47.553349][ T7710] ? print_shortest_lock_dependencies+0x90/0x90 [ 47.559966][ T7710] __lock_acquire+0x1317/0x3fb0 [ 47.565408][ T7710] ? trace_hardirqs_off+0x62/0x220 [ 47.570971][ T7710] ? kasan_check_read+0x11/0x20 [ 47.576034][ T7710] ? mark_held_locks+0xf0/0xf0 [ 47.580962][ T7710] ? save_stack+0xa9/0xd0 [ 47.585487][ T7710] ? save_stack+0x45/0xd0 [ 47.590814][ T7710] ? __kasan_slab_free+0x102/0x150 [ 47.596531][ T7710] ? kasan_slab_free+0xe/0x10 [ 47.601904][ T7710] ? kmem_cache_free+0x86/0x260 [ 47.607962][ T7710] ? free_fs_struct+0x4f/0x70 [ 47.612747][ T7710] ? exit_fs+0xf0/0x130 [ 47.616901][ T7710] lock_acquire+0x16f/0x3f0 [ 47.621396][ T7710] ? userfaultfd_release+0x48e/0x6d0 [ 47.626701][ T7710] _raw_spin_lock+0x2f/0x40 [ 47.631225][ T7710] ? userfaultfd_release+0x48e/0x6d0 [ 47.636505][ T7710] userfaultfd_release+0x48e/0x6d0 [ 47.641706][ T7710] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 47.647588][ T7710] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 47.653956][ T7710] ? ima_file_free+0xc9/0x4a0 [ 47.658743][ T7710] ? __might_sleep+0x95/0x190 [ 47.663517][ T7710] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 47.669422][ T7710] __fput+0x2e5/0x8d0 [ 47.673504][ T7710] ____fput+0x16/0x20 [ 47.677690][ T7710] task_work_run+0x14a/0x1c0 [ 47.682364][ T7710] do_exit+0x90a/0x2fa0 [ 47.686630][ T7710] ? get_signal+0x331/0x1d50 [ 47.691213][ T7710] ? mm_update_next_owner+0x640/0x640 [ 47.696686][ T7710] ? kasan_check_write+0x14/0x20 [ 47.701976][ T7710] ? _raw_spin_unlock_irq+0x28/0x90 [ 47.707287][ T7710] ? get_signal+0x331/0x1d50 [ 47.711878][ T7710] ? _raw_spin_unlock_irq+0x28/0x90 [ 47.717075][ T7710] do_group_exit+0x135/0x370 [ 47.721737][ T7710] get_signal+0x399/0x1d50 [ 47.726458][ T7710] ? __x64_sys_io_submit+0x31f/0x580 [ 47.731750][ T7710] do_signal+0x87/0x1940 [ 47.736266][ T7710] ? lock_downgrade+0x880/0x880 [ 47.741502][ T7710] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 47.747854][ T7710] ? kasan_check_read+0x11/0x20 [ 47.752821][ T7710] ? setup_sigcontext+0x7d0/0x7d0 [ 47.757946][ T7710] ? exit_to_usermode_loop+0x43/0x2c0 [ 47.765093][ T7710] ? do_syscall_64+0x52d/0x610 [ 47.770467][ T7710] ? exit_to_usermode_loop+0x43/0x2c0 [ 47.776064][ T7710] ? lockdep_hardirqs_on+0x418/0x5d0 [ 47.781448][ T7710] ? trace_hardirqs_on+0x67/0x230 [ 47.786467][ T7710] exit_to_usermode_loop+0x244/0x2c0 [ 47.791944][ T7710] do_syscall_64+0x52d/0x610 [ 47.796555][ T7710] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 47.802810][ T7710] RIP: 0033:0x4458d9 [ 47.806945][ T7710] Code: Bad RIP value. [ 47.811201][ T7710] RSP: 002b:00007f9539ab5db8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 47.819689][ T7710] RAX: fffffffffffffe00 RBX: 00000000006dac58 RCX: 00000000004458d9 [ 47.827945][ T7710] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dac58 [ 47.835920][ T7710] RBP: 00000000006d