[ 44.876795][ T26] audit: type=1800 audit(1554166756.109:27): pid=7795 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [ 44.916901][ T26] audit: type=1800 audit(1554166756.109:28): pid=7795 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 45.445064][ T26] audit: type=1800 audit(1554166756.739:29): pid=7795 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [....] startpar: service(s) returned failure: rsyslog ...[?25l[?1c7[FAIL8[?25h[?0c failed! Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.59' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 69.474492][ T7969] [ 69.477214][ T7969] ======================================================== [ 69.484407][ T7969] WARNING: possible irq lock inversion dependency detected [ 69.491721][ T7969] 5.1.0-rc3+ #48 Not tainted [ 69.496499][ T7969] -------------------------------------------------------- [ 69.503985][ T7969] syz-executor491/7969 just changed the state of lock: [ 69.510830][ T7969] 00000000509dc1a3 (&ctx->fault_pending_wqh){+.+.}, at: userfaultfd_release+0x48e/0x6d0 [ 69.520672][ T7969] but this lock was taken by another, SOFTIRQ-safe lock in the past: [ 69.529149][ T7969] (&(&ctx->ctx_lock)->rlock){..-.} [ 69.529163][ T7969] [ 69.529163][ T7969] [ 69.529163][ T7969] and interrupts could create inverse lock ordering between them. [ 69.529163][ T7969] [ 69.548654][ T7969] [ 69.548654][ T7969] other info that might help us debug this: [ 69.557550][ T7969] Chain exists of: [ 69.557550][ T7969] &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh [ 69.557550][ T7969] [ 69.571836][ T7969] Possible interrupt unsafe locking scenario: [ 69.571836][ T7969] [ 69.580159][ T7969] CPU0 CPU1 [ 69.585730][ T7969] ---- ---- [ 69.591108][ T7969] lock(&ctx->fault_pending_wqh); [ 69.596215][ T7969] local_irq_disable(); [ 69.603103][ T7969] lock(&(&ctx->ctx_lock)->rlock); [ 69.610811][ T7969] lock(&ctx->fd_wqh); [ 69.617487][ T7969] [ 69.620938][ T7969] lock(&(&ctx->ctx_lock)->rlock); [ 69.626325][ T7969] [ 69.626325][ T7969] *** DEADLOCK *** [ 69.626325][ T7969] [ 69.634795][ T7969] no locks held by syz-executor491/7969. [ 69.640424][ T7969] [ 69.640424][ T7969] the shortest dependencies between 2nd lock and 1st lock: [ 69.649916][ T7969] -> (&(&ctx->ctx_lock)->rlock){..-.} { [ 69.655802][ T7969] IN-SOFTIRQ-W at: [ 69.659994][ T7969] lock_acquire+0x16f/0x3f0 [ 69.666573][ T7969] _raw_spin_lock_irq+0x60/0x80 [ 69.673425][ T7969] free_ioctx_users+0x2d/0x4a0 [ 69.680220][ T7969] percpu_ref_switch_to_atomic_rcu+0x3e7/0x520 [ 69.688584][ T7969] rcu_core+0x928/0x1390 [ 69.694831][ T7969] __do_softirq+0x266/0x95a [ 69.701354][ T7969] irq_exit+0x180/0x1d0 [ 69.707503][ T7969] smp_apic_timer_interrupt+0x14a/0x570 [ 69.715406][ T7969] apic_timer_interrupt+0xf/0x20 [ 69.722344][ T7969] native_safe_halt+0x2/0x10 [ 69.728961][ T7969] arch_cpu_idle+0x10/0x20 [ 69.735764][ T7969] default_idle_call+0x36/0x90 [ 69.742925][ T7969] do_idle+0x386/0x570 [ 69.749004][ T7969] cpu_startup_entry+0x1b/0x20 [ 69.755762][ T7969] rest_init+0x245/0x37b [ 69.762371][ T7969] arch_call_rest_init+0xe/0x1b [ 69.769721][ T7969] start_kernel+0x816/0x84f [ 69.776219][ T7969] x86_64_start_reservations+0x29/0x2b [ 69.783672][ T7969] x86_64_start_kernel+0x77/0x7b [ 69.790764][ T7969] secondary_startup_64+0xa4/0xb0 [ 69.797967][ T7969] INITIAL USE at: [ 69.802052][ T7969] lock_acquire+0x16f/0x3f0 [ 69.808842][ T7969] _raw_spin_lock_irq+0x60/0x80 [ 69.815892][ T7969] io_submit_one+0xaec/0x2f90 [ 69.822480][ T7969] __x64_sys_io_submit+0x1bd/0x580 [ 69.829816][ T7969] do_syscall_64+0x103/0x610 [ 69.836924][ T7969] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 69.844788][ T7969] } [ 69.847482][ T7969] ... key at: [] __key.52649+0x0/0x40 [ 69.855114][ T7969] ... acquired at: [ 69.859190][ T7969] lock_acquire+0x16f/0x3f0 [ 69.863861][ T7969] _raw_spin_lock+0x2f/0x40 [ 69.868531][ T7969] io_submit_one+0xb31/0x2f90 [ 69.873471][ T7969] __x64_sys_io_submit+0x1bd/0x580 [ 69.879091][ T7969] do_syscall_64+0x103/0x610 [ 69.883890][ T7969] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 69.890003][ T7969] [ 69.892322][ T7969] -> (&ctx->fd_wqh){....} { [ 69.896903][ T7969] INITIAL USE at: [ 69.901462][ T7969] lock_acquire+0x16f/0x3f0 [ 69.907695][ T7969] _raw_spin_lock_irq+0x60/0x80 [ 69.914320][ T7969] userfaultfd_read+0x27a/0x1940 [ 69.921760][ T7969] __vfs_read+0x8d/0x110 [ 69.927823][ T7969] vfs_read+0x194/0x3e0 [ 69.933707][ T7969] ksys_read+0xea/0x1f0 [ 69.939654][ T7969] __x64_sys_read+0x73/0xb0 [ 69.946030][ T7969] do_syscall_64+0x103/0x610 [ 69.952420][ T7969] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 69.960101][ T7969] } [ 69.962690][ T7969] ... key at: [] __key.45459+0x0/0x40 [ 69.970529][ T7969] ... acquired at: [ 69.974819][ T7969] lock_acquire+0x16f/0x3f0 [ 69.979617][ T7969] _raw_spin_lock+0x2f/0x40 [ 69.984355][ T7969] userfaultfd_read+0x540/0x1940 [ 69.990453][ T7969] __vfs_read+0x8d/0x110 [ 69.995474][ T7969] vfs_read+0x194/0x3e0 [ 69.999959][ T7969] ksys_read+0xea/0x1f0 [ 70.004323][ T7969] __x64_sys_read+0x73/0xb0 [ 70.009002][ T7969] do_syscall_64+0x103/0x610 [ 70.013888][ T7969] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 70.020124][ T7969] [ 70.022558][ T7969] -> (&ctx->fault_pending_wqh){+.+.} { [ 70.028070][ T7969] HARDIRQ-ON-W at: [ 70.032067][ T7969] lock_acquire+0x16f/0x3f0 [ 70.038214][ T7969] _raw_spin_lock+0x2f/0x40 [ 70.044441][ T7969] userfaultfd_release+0x48e/0x6d0 [ 70.051208][ T7969] __fput+0x2e5/0x8d0 [ 70.057162][ T7969] ____fput+0x16/0x20 [ 70.062835][ T7969] task_work_run+0x14a/0x1c0 [ 70.069071][ T7969] do_exit+0x90a/0x2fa0 [ 70.074874][ T7969] do_group_exit+0x135/0x370 [ 70.081475][ T7969] get_signal+0x399/0x1d50 [ 70.087611][ T7969] do_signal+0x87/0x1940 [ 70.093635][ T7969] exit_to_usermode_loop+0x244/0x2c0 [ 70.100576][ T7969] do_syscall_64+0x52d/0x610 [ 70.106951][ T7969] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 70.114863][ T7969] SOFTIRQ-ON-W at: [ 70.118838][ T7969] lock_acquire+0x16f/0x3f0 [ 70.125036][ T7969] _raw_spin_lock+0x2f/0x40 [ 70.131959][ T7969] userfaultfd_release+0x48e/0x6d0 [ 70.138802][ T7969] __fput+0x2e5/0x8d0 [ 70.144484][ T7969] ____fput+0x16/0x20 [ 70.150466][ T7969] task_work_run+0x14a/0x1c0 [ 70.157518][ T7969] do_exit+0x90a/0x2fa0 [ 70.163341][ T7969] do_group_exit+0x135/0x370 [ 70.169677][ T7969] get_signal+0x399/0x1d50 [ 70.176216][ T7969] do_signal+0x87/0x1940 [ 70.183310][ T7969] exit_to_usermode_loop+0x244/0x2c0 [ 70.190238][ T7969] do_syscall_64+0x52d/0x610 [ 70.196694][ T7969] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 70.204471][ T7969] INITIAL USE at: [ 70.208369][ T7969] lock_acquire+0x16f/0x3f0 [ 70.214493][ T7969] _raw_spin_lock+0x2f/0x40 [ 70.220574][ T7969] userfaultfd_read+0x540/0x1940 [ 70.227208][ T7969] __vfs_read+0x8d/0x110 [ 70.233015][ T7969] vfs_read+0x194/0x3e0 [ 70.238742][ T7969] ksys_read+0xea/0x1f0 [ 70.244468][ T7969] __x64_sys_read+0x73/0xb0 [ 70.250643][ T7969] do_syscall_64+0x103/0x610 [ 70.256810][ T7969] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 70.266953][ T7969] } [ 70.274390][ T7969] ... key at: [] __key.45456+0x0/0x40 [ 70.282139][ T7969] ... acquired at: [ 70.286760][ T7969] mark_lock+0x427/0x1380 [ 70.292729][ T7969] __lock_acquire+0x1317/0x3fb0 [ 70.297763][ T7969] lock_acquire+0x16f/0x3f0 [ 70.302430][ T7969] _raw_spin_lock+0x2f/0x40 [ 70.307181][ T7969] userfaultfd_release+0x48e/0x6d0 [ 70.312467][ T7969] __fput+0x2e5/0x8d0 [ 70.316672][ T7969] ____fput+0x16/0x20 [ 70.320884][ T7969] task_work_run+0x14a/0x1c0 [ 70.325649][ T7969] do_exit+0x90a/0x2fa0 [ 70.329988][ T7969] do_group_exit+0x135/0x370 [ 70.335945][ T7969] get_signal+0x399/0x1d50 [ 70.340638][ T7969] do_signal+0x87/0x1940 [ 70.345062][ T7969] exit_to_usermode_loop+0x244/0x2c0 [ 70.350521][ T7969] do_syscall_64+0x52d/0x610 [ 70.355279][ T7969] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 70.361655][ T7969] [ 70.364008][ T7969] [ 70.364008][ T7969] stack backtrace: [ 70.369985][ T7969] CPU: 0 PID: 7969 Comm: syz-executor491 Not tainted 5.1.0-rc3+ #48 [ 70.378382][ T7969] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 70.388587][ T7969] Call Trace: [ 70.391925][ T7969] dump_stack+0x172/0x1f0 [ 70.396284][ T7969] print_irq_inversion_bug.part.0+0x2c0/0x2cd [ 70.402347][ T7969] check_usage_backwards.cold+0x1d/0x26 [ 70.408242][ T7969] ? print_shortest_lock_dependencies+0x90/0x90 [ 70.414598][ T7969] ? save_stack_trace+0x1a/0x20 [ 70.419549][ T7969] mark_lock+0x427/0x1380 [ 70.423927][ T7969] ? print_shortest_lock_dependencies+0x90/0x90 [ 70.430177][ T7969] __lock_acquire+0x1317/0x3fb0 [ 70.435031][ T7969] ? trace_hardirqs_off+0x62/0x220 [ 70.440315][ T7969] ? kasan_check_read+0x11/0x20 [ 70.445436][ T7969] ? mark_held_locks+0xf0/0xf0 [ 70.450239][ T7969] ? save_stack+0xa9/0xd0 [ 70.454569][ T7969] ? save_stack+0x45/0xd0 [ 70.458941][ T7969] ? __kasan_slab_free+0x102/0x150 [ 70.464135][ T7969] ? kasan_slab_free+0xe/0x10 [ 70.468863][ T7969] ? kmem_cache_free+0x86/0x260 [ 70.474053][ T7969] ? free_fs_struct+0x4f/0x70 [ 70.478723][ T7969] ? exit_fs+0xf0/0x130 [ 70.482876][ T7969] lock_acquire+0x16f/0x3f0 [ 70.487506][ T7969] ? userfaultfd_release+0x48e/0x6d0 [ 70.492805][ T7969] _raw_spin_lock+0x2f/0x40 [ 70.497653][ T7969] ? userfaultfd_release+0x48e/0x6d0 [ 70.503027][ T7969] userfaultfd_release+0x48e/0x6d0 [ 70.508148][ T7969] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 70.513966][ T7969] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 70.520233][ T7969] ? ima_file_free+0xc9/0x4a0 [ 70.525408][ T7969] ? __might_sleep+0x95/0x190 [ 70.530131][ T7969] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 70.536003][ T7969] __fput+0x2e5/0x8d0 [ 70.540031][ T7969] ____fput+0x16/0x20 [ 70.544017][ T7969] task_work_run+0x14a/0x1c0 [ 70.548598][ T7969] do_exit+0x90a/0x2fa0 [ 70.552821][ T7969] ? get_signal+0x331/0x1d50 [ 70.558024][ T7969] ? mm_update_next_owner+0x640/0x640 [ 70.563462][ T7969] ? kasan_check_write+0x14/0x20 [ 70.568414][ T7969] ? _raw_spin_unlock_irq+0x28/0x90 [ 70.573665][ T7969] ? get_signal+0x331/0x1d50 [ 70.578473][ T7969] ? _raw_spin_unlock_irq+0x28/0x90 [ 70.584101][ T7969] do_group_exit+0x135/0x370 [ 70.588723][ T7969] get_signal+0x399/0x1d50 [ 70.593241][ T7969] ? __x64_sys_io_submit+0x31f/0x580 [ 70.598578][ T7969] do_signal+0x87/0x1940 [ 70.602834][ T7969] ? lock_downgrade+0x880/0x880 [ 70.607685][ T7969] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 70.614420][ T7969] ? kasan_check_read+0x11/0x20 [ 70.619330][ T7969] ? setup_sigcontext+0x7d0/0x7d0 [ 70.624352][ T7969] ? exit_to_usermode_loop+0x43/0x2c0 [ 70.629714][ T7969] ? do_syscall_64+0x52d/0x610 [ 70.634601][ T7969] ? exit_to_usermode_loop+0x43/0x2c0 [ 70.640498][ T7969] ? lockdep_hardirqs_on+0x418/0x5d0 [ 70.646056][ T7969] ? trace_hardirqs_on+0x67/0x230 [ 70.651144][ T7969] exit_to_usermode_loop+0x244/0x2c0 [ 70.656482][ T7969] do_syscall_64+0x52d/0x610 [ 70.661081][ T7969] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 70.667363][ T7969] RIP: 0033:0x4458d9 [ 70.671441][ T7969] Code: Bad RIP value. [ 70.675539][ T7969] RSP: 002b:00007fe869a5cdb8 E