[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 58.129201][ T26] audit: type=1800 audit(1560770756.619:25): pid=8854 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 58.153384][ T26] audit: type=1800 audit(1560770756.629:26): pid=8854 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 58.199647][ T26] audit: type=1800 audit(1560770756.629:27): pid=8854 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.35' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 66.340819][ T9010] [ 66.343166][ T9010] ======================================================== [ 66.350405][ T9010] WARNING: possible irq lock inversion dependency detected [ 66.357644][ T9010] 5.2.0-rc4+ #34 Not tainted [ 66.362275][ T9010] -------------------------------------------------------- [ 66.369452][ T9010] syz-executor356/9010 just changed the state of lock: [ 66.376307][ T9010] 000000004ffa0e60 (&ctx->fault_pending_wqh){+.+.}, at: userfaultfd_release+0x4ca/0x710 [ 66.386034][ T9010] but this lock was taken by another, SOFTIRQ-safe lock in the past: [ 66.394071][ T9010] (&(&ctx->ctx_lock)->rlock){..-.} [ 66.394080][ T9010] [ 66.394080][ T9010] [ 66.394080][ T9010] and interrupts could create inverse lock ordering between them. [ 66.394080][ T9010] [ 66.413537][ T9010] [ 66.413537][ T9010] other info that might help us debug this: [ 66.421576][ T9010] Chain exists of: [ 66.421576][ T9010] &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh [ 66.421576][ T9010] [ 66.435789][ T9010] Possible interrupt unsafe locking scenario: [ 66.435789][ T9010] [ 66.444089][ T9010] CPU0 CPU1 [ 66.449441][ T9010] ---- ---- [ 66.454802][ T9010] lock(&ctx->fault_pending_wqh); [ 66.460032][ T9010] local_irq_disable(); [ 66.466783][ T9010] lock(&(&ctx->ctx_lock)->rlock); [ 66.474488][ T9010] lock(&ctx->fd_wqh); [ 66.481139][ T9010] [ 66.484607][ T9010] lock(&(&ctx->ctx_lock)->rlock); [ 66.489953][ T9010] [ 66.489953][ T9010] *** DEADLOCK *** [ 66.489953][ T9010] [ 66.498088][ T9010] no locks held by syz-executor356/9010. [ 66.503697][ T9010] [ 66.503697][ T9010] the shortest dependencies between 2nd lock and 1st lock: [ 66.513106][ T9010] -> (&(&ctx->ctx_lock)->rlock){..-.} { [ 66.518858][ T9010] IN-SOFTIRQ-W at: [ 66.523009][ T9010] lock_acquire+0x16f/0x3f0 [ 66.529510][ T9010] _raw_spin_lock_irq+0x60/0x80 [ 66.536411][ T9010] free_ioctx_users+0x2d/0x490 [ 66.543154][ T9010] percpu_ref_switch_to_atomic_rcu+0x407/0x540 [ 66.551287][ T9010] rcu_core+0xba5/0x1500 [ 66.557509][ T9010] __do_softirq+0x25c/0x94c [ 66.564001][ T9010] irq_exit+0x180/0x1d0 [ 66.570149][ T9010] smp_apic_timer_interrupt+0x13b/0x550 [ 66.577746][ T9010] apic_timer_interrupt+0xf/0x20 [ 66.584667][ T9010] native_safe_halt+0xe/0x10 [ 66.591242][ T9010] arch_cpu_idle+0xa/0x10 [ 66.597552][ T9010] default_idle_call+0x36/0x90 [ 66.604292][ T9010] do_idle+0x377/0x560 [ 66.610341][ T9010] cpu_startup_entry+0x1b/0x20 [ 66.617088][ T9010] rest_init+0x245/0x37b [ 66.623314][ T9010] arch_call_rest_init+0xe/0x1b [ 66.630157][ T9010] start_kernel+0x854/0x893 [ 66.636635][ T9010] x86_64_start_reservations+0x29/0x2b [ 66.644099][ T9010] x86_64_start_kernel+0x77/0x7b [ 66.651030][ T9010] secondary_startup_64+0xa4/0xb0 [ 66.658024][ T9010] INITIAL USE at: [ 66.662079][ T9010] lock_acquire+0x16f/0x3f0 [ 66.668472][ T9010] _raw_spin_lock_irq+0x60/0x80 [ 66.675341][ T9010] io_submit_one+0xeb5/0x2ef0 [ 66.681958][ T9010] __x64_sys_io_submit+0x1bd/0x570 [ 66.688965][ T9010] do_syscall_64+0xfd/0x680 [ 66.695359][ T9010] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 66.703225][ T9010] } [ 66.705895][ T9010] ... key at: [] __key.53428+0x0/0x40 [ 66.713546][ T9010] ... acquired at: [ 66.717508][ T9010] _raw_spin_lock+0x2f/0x40 [ 66.722167][ T9010] io_submit_one+0xefa/0x2ef0 [ 66.727002][ T9010] __x64_sys_io_submit+0x1bd/0x570 [ 66.732275][ T9010] do_syscall_64+0xfd/0x680 [ 66.736934][ T9010] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 66.742975][ T9010] [ 66.745282][ T9010] -> (&ctx->fd_wqh){....} { [ 66.749854][ T9010] INITIAL USE at: [ 66.753821][ T9010] lock_acquire+0x16f/0x3f0 [ 66.760044][ T9010] _raw_spin_lock_irq+0x60/0x80 [ 66.766646][ T9010] userfaultfd_read+0x27a/0x1940 [ 66.773304][ T9010] __vfs_read+0x8a/0x110 [ 66.779262][ T9010] vfs_read+0x194/0x3e0 [ 66.785190][ T9010] ksys_read+0x14f/0x290 [ 66.791233][ T9010] __x64_sys_read+0x73/0xb0 [ 66.797483][ T9010] do_syscall_64+0xfd/0x680 [ 66.803703][ T9010] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 66.811309][ T9010] } [ 66.813883][ T9010] ... key at: [] __key.46104+0x0/0x40 [ 66.821399][ T9010] ... acquired at: [ 66.825285][ T9010] _raw_spin_lock+0x2f/0x40 [ 66.829943][ T9010] userfaultfd_read+0x540/0x1940 [ 66.835030][ T9010] __vfs_read+0x8a/0x110 [ 66.839421][ T9010] vfs_read+0x194/0x3e0 [ 66.843731][ T9010] ksys_read+0x14f/0x290 [ 66.848142][ T9010] __x64_sys_read+0x73/0xb0 [ 66.852801][ T9010] do_syscall_64+0xfd/0x680 [ 66.857460][ T9010] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 66.863498][ T9010] [ 66.865816][ T9010] -> (&ctx->fault_pending_wqh){+.+.} { [ 66.871257][ T9010] HARDIRQ-ON-W at: [ 66.875222][ T9010] lock_acquire+0x16f/0x3f0 [ 66.881398][ T9010] _raw_spin_lock+0x2f/0x40 [ 66.887532][ T9010] userfaultfd_release+0x4ca/0x710 [ 66.894272][ T9010] __fput+0x2ff/0x890 [ 66.899885][ T9010] ____fput+0x16/0x20 [ 66.905548][ T9010] task_work_run+0x145/0x1c0 [ 66.911770][ T9010] do_exit+0x90a/0x2fa0 [ 66.917618][ T9010] do_group_exit+0x135/0x370 [ 66.923840][ T9010] get_signal+0x471/0x24b0 [ 66.929888][ T9010] do_signal+0x87/0x1900 [ 66.935780][ T9010] exit_to_usermode_loop+0x244/0x2c0 [ 66.942691][ T9010] do_syscall_64+0x58e/0x680 [ 66.948927][ T9010] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 66.956447][ T9010] SOFTIRQ-ON-W at: [ 66.960412][ T9010] lock_acquire+0x16f/0x3f0 [ 66.966544][ T9010] _raw_spin_lock+0x2f/0x40 [ 66.972680][ T9010] userfaultfd_release+0x4ca/0x710 [ 66.979426][ T9010] __fput+0x2ff/0x890 [ 66.985040][ T9010] ____fput+0x16/0x20 [ 66.990660][ T9010] task_work_run+0x145/0x1c0 [ 66.996884][ T9010] do_exit+0x90a/0x2fa0 [ 67.002669][ T9010] do_group_exit+0x135/0x370 [ 67.008896][ T9010] get_signal+0x471/0x24b0 [ 67.014946][ T9010] do_signal+0x87/0x1900 [ 67.020871][ T9010] exit_to_usermode_loop+0x244/0x2c0 [ 67.027846][ T9010] do_syscall_64+0x58e/0x680 [ 67.034072][ T9010] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 67.041595][ T9010] INITIAL USE at: [ 67.045493][ T9010] lock_acquire+0x16f/0x3f0 [ 67.051542][ T9010] _raw_spin_lock+0x2f/0x40 [ 67.057591][ T9010] userfaultfd_read+0x540/0x1940 [ 67.064124][ T9010] __vfs_read+0x8a/0x110 [ 67.069932][ T9010] vfs_read+0x194/0x3e0 [ 67.075627][ T9010] ksys_read+0x14f/0x290 [ 67.081543][ T9010] __x64_sys_read+0x73/0xb0 [ 67.087587][ T9010] do_syscall_64+0xfd/0x680 [ 67.093673][ T9010] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 67.101107][ T9010] } [ 67.103599][ T9010] ... key at: [] __key.46101+0x0/0x40 [ 67.111028][ T9010] ... acquired at: [ 67.114867][ T9010] mark_lock+0x420/0x1370 [ 67.119353][ T9010] __lock_acquire+0x12df/0x5490 [ 67.124356][ T9010] lock_acquire+0x16f/0x3f0 [ 67.129010][ T9010] _raw_spin_lock+0x2f/0x40 [ 67.133667][ T9010] userfaultfd_release+0x4ca/0x710 [ 67.138933][ T9010] __fput+0x2ff/0x890 [ 67.143101][ T9010] ____fput+0x16/0x20 [ 67.147236][ T9010] task_work_run+0x145/0x1c0 [ 67.151979][ T9010] do_exit+0x90a/0x2fa0 [ 67.156289][ T9010] do_group_exit+0x135/0x370 [ 67.161033][ T9010] get_signal+0x471/0x24b0 [ 67.165600][ T9010] do_signal+0x87/0x1900 [ 67.170022][ T9010] exit_to_usermode_loop+0x244/0x2c0 [ 67.175462][ T9010] do_syscall_64+0x58e/0x680 [ 67.180207][ T9010] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 67.186256][ T9010] [ 67.188566][ T9010] [ 67.188566][ T9010] stack backtrace: [ 67.194443][ T9010] CPU: 0 PID: 9010 Comm: syz-executor356 Not tainted 5.2.0-rc4+ #34 [ 67.202396][ T9010] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.212432][ T9010] Call Trace: [ 67.215718][ T9010] dump_stack+0x172/0x1f0 [ 67.220031][ T9010] print_irq_inversion_bug.part.0+0x2c5/0x2d2 [ 67.226174][ T9010] check_usage_backwards.cold+0x1d/0x26 [ 67.231702][ T9010] ? print_shortest_lock_dependencies+0x90/0x90 [ 67.237927][ T9010] ? stack_trace_save+0xac/0xe0 [ 67.242757][ T9010] ? stack_trace_consume_entry+0x190/0x190 [ 67.248543][ T9010] ? kasan_check_write+0x14/0x20 [ 67.253460][ T9010] ? graph_lock+0x7b/0x200 [ 67.257869][ T9010] ? __lockdep_reset_lock+0x450/0x450 [ 67.263228][ T9010] mark_lock+0x420/0x1370 [ 67.267538][ T9010] ? print_shortest_lock_dependencies+0x90/0x90 [ 67.273757][ T9010] __lock_acquire+0x12df/0x5490 [ 67.278589][ T9010] ? kasan_check_write+0x14/0x20 [ 67.283625][ T9010] ? mark_held_locks+0xf0/0xf0 [ 67.288371][ T9010] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 67.294160][ T9010] ? stack_depot_save+0x25a/0x450 [ 67.299165][ T9010] lock_acquire+0x16f/0x3f0 [ 67.303661][ T9010] ? userfaultfd_release+0x4ca/0x710 [ 67.308929][ T9010] _raw_spin_lock+0x2f/0x40 [ 67.313415][ T9010] ? userfaultfd_release+0x4ca/0x710 [ 67.318684][ T9010] userfaultfd_release+0x4ca/0x710 [ 67.323775][ T9010] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 67.329580][ T9010] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 67.335861][ T9010] ? ima_file_free+0xc9/0x4a0 [ 67.340570][ T9010] __fput+0x2ff/0x890 [ 67.344546][ T9010] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 67.350335][ T9010] ____fput+0x16/0x20 [ 67.354301][ T9010] task_work_run+0x145/0x1c0 [ 67.358874][ T9010] do_exit+0x90a/0x2fa0 [ 67.363013][ T9010] ? get_signal+0x387/0x24b0 [ 67.367643][ T9010] ? mm_update_next_owner+0x640/0x640 [ 67.373002][ T9010] ? kasan_check_write+0x14/0x20 [ 67.377925][ T9010] ? _raw_spin_unlock_irq+0x28/0x90 [ 67.383110][ T9010] ? get_signal+0x387/0x24b0 [ 67.387680][ T9010] ? _raw_spin_unlock_irq+0x28/0x90 [ 67.392886][ T9010] do_group_exit+0x135/0x370 [ 67.397478][ T9010] get_signal+0x471/0x24b0 [ 67.402207][ T9010] ? exit_robust_list+0x2c0/0x2c0 [ 67.407228][ T9010] do_signal+0x87/0x1900 [ 67.411476][ T9010] ? lock_downgrade+0x880/0x880 [ 67.416313][ T9010] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 67.422544][ T9010] ? kasan_check_read+0x11/0x20 [ 67.427385][ T9010] ? setup_sigcontext+0x7d0/0x7d0 [ 67.432412][ T9010] ? exit_to_usermode_loop+0x43/0x2c0 [ 67.437765][ T9010] ? do_syscall_64+0x58e/0x680 [ 67.442504][ T9010] ? exit_to_usermode_loop+0x43/0x2c0 [ 67.447857][ T9010] ? lockdep_hardirqs_on+0x418/0x5d0 [ 67.453126][ T9010] ? trace_hardirqs_on+0x67/0x220 [ 67.458130][ T9010] exit_to_usermode_loop+0x244/0x2c0 [ 67.463398][ T9010] do_syscall_64+0x58e/0x680 [ 67.468103][ T9010] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 67.473978][ T9010] RIP: 0033:0x4458f9 [ 67.477862][ T9010] Code: Bad RIP value. [ 67.481909][ T9010] RSP: 002b:00007f69abe28db8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 67.490302][ T9010] RAX: fffffffffffffe00 RBX: 00000000006dac5