[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 42.169174][ T26] audit: type=1800 audit(1554225485.804:25): pid=7920 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 42.205244][ T26] audit: type=1800 audit(1554225485.804:26): pid=7920 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 42.231561][ T26] audit: type=1800 audit(1554225485.804:27): pid=7920 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.15' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 54.714693][ T8075] [ 54.717034][ T8075] ======================================================== [ 54.724199][ T8075] WARNING: possible irq lock inversion dependency detected [ 54.731371][ T8075] 5.1.0-rc3+ #48 Not tainted [ 54.735934][ T8075] -------------------------------------------------------- [ 54.743098][ T8075] syz-executor179/8075 just changed the state of lock: [ 54.749920][ T8075] 00000000b33f7a52 (&ctx->fault_pending_wqh){+.+.}, at: userfaultfd_release+0x48e/0x6d0 [ 54.759622][ T8075] but this lock was taken by another, SOFTIRQ-safe lock in the past: [ 54.767651][ T8075] (&(&ctx->ctx_lock)->rlock){..-.} [ 54.767657][ T8075] [ 54.767657][ T8075] [ 54.767657][ T8075] and interrupts could create inverse lock ordering between them. [ 54.767657][ T8075] [ 54.787096][ T8075] [ 54.787096][ T8075] other info that might help us debug this: [ 54.795125][ T8075] Chain exists of: [ 54.795125][ T8075] &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh [ 54.795125][ T8075] [ 54.809329][ T8075] Possible interrupt unsafe locking scenario: [ 54.809329][ T8075] [ 54.817622][ T8075] CPU0 CPU1 [ 54.822976][ T8075] ---- ---- [ 54.828336][ T8075] lock(&ctx->fault_pending_wqh); [ 54.833418][ T8075] local_irq_disable(); [ 54.840166][ T8075] lock(&(&ctx->ctx_lock)->rlock); [ 54.847853][ T8075] lock(&ctx->fd_wqh); [ 54.854583][ T8075] [ 54.858009][ T8075] lock(&(&ctx->ctx_lock)->rlock); [ 54.863350][ T8075] [ 54.863350][ T8075] *** DEADLOCK *** [ 54.863350][ T8075] [ 54.871469][ T8075] no locks held by syz-executor179/8075. [ 54.877068][ T8075] [ 54.877068][ T8075] the shortest dependencies between 2nd lock and 1st lock: [ 54.886437][ T8075] -> (&(&ctx->ctx_lock)->rlock){..-.} { [ 54.892137][ T8075] IN-SOFTIRQ-W at: [ 54.896298][ T8075] lock_acquire+0x16f/0x3f0 [ 54.902774][ T8075] _raw_spin_lock_irq+0x60/0x80 [ 54.909628][ T8075] free_ioctx_users+0x2d/0x4a0 [ 54.916367][ T8075] percpu_ref_switch_to_atomic_rcu+0x3e7/0x520 [ 54.924492][ T8075] rcu_core+0x928/0x1390 [ 54.930702][ T8075] __do_softirq+0x266/0x95a [ 54.937182][ T8075] irq_exit+0x180/0x1d0 [ 54.943323][ T8075] smp_apic_timer_interrupt+0x14a/0x570 [ 54.950837][ T8075] apic_timer_interrupt+0xf/0x20 [ 54.957742][ T8075] native_safe_halt+0x2/0x10 [ 54.964323][ T8075] arch_cpu_idle+0x10/0x20 [ 54.970707][ T8075] default_idle_call+0x36/0x90 [ 54.977443][ T8075] do_idle+0x386/0x570 [ 54.983485][ T8075] cpu_startup_entry+0x1b/0x20 [ 54.990221][ T8075] start_secondary+0x360/0x4d0 [ 54.996955][ T8075] secondary_startup_64+0xa4/0xb0 [ 55.003951][ T8075] INITIAL USE at: [ 55.007997][ T8075] lock_acquire+0x16f/0x3f0 [ 55.014384][ T8075] _raw_spin_lock_irq+0x60/0x80 [ 55.021119][ T8075] io_submit_one+0xaec/0x2f90 [ 55.027678][ T8075] __x64_sys_io_submit+0x1bd/0x580 [ 55.034675][ T8075] do_syscall_64+0x103/0x610 [ 55.041150][ T8075] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.048928][ T8075] } [ 55.051588][ T8075] ... key at: [] __key.52649+0x0/0x40 [ 55.059195][ T8075] ... acquired at: [ 55.063152][ T8075] lock_acquire+0x16f/0x3f0 [ 55.067809][ T8075] _raw_spin_lock+0x2f/0x40 [ 55.072459][ T8075] io_submit_one+0xb31/0x2f90 [ 55.077282][ T8075] __x64_sys_io_submit+0x1bd/0x580 [ 55.082543][ T8075] do_syscall_64+0x103/0x610 [ 55.087281][ T8075] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.093314][ T8075] [ 55.095613][ T8075] -> (&ctx->fd_wqh){....} { [ 55.100175][ T8075] INITIAL USE at: [ 55.104132][ T8075] lock_acquire+0x16f/0x3f0 [ 55.110349][ T8075] _raw_spin_lock_irq+0x60/0x80 [ 55.117178][ T8075] userfaultfd_read+0x27a/0x1940 [ 55.123835][ T8075] __vfs_read+0x8d/0x110 [ 55.129802][ T8075] vfs_read+0x194/0x3e0 [ 55.135668][ T8075] ksys_read+0xea/0x1f0 [ 55.141532][ T8075] __x64_sys_read+0x73/0xb0 [ 55.147762][ T8075] do_syscall_64+0x103/0x610 [ 55.154062][ T8075] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.161658][ T8075] } [ 55.164239][ T8075] ... key at: [] __key.45459+0x0/0x40 [ 55.171747][ T8075] ... acquired at: [ 55.175616][ T8075] lock_acquire+0x16f/0x3f0 [ 55.180268][ T8075] _raw_spin_lock+0x2f/0x40 [ 55.184958][ T8075] userfaultfd_read+0x540/0x1940 [ 55.190059][ T8075] __vfs_read+0x8d/0x110 [ 55.194449][ T8075] vfs_read+0x194/0x3e0 [ 55.198770][ T8075] ksys_read+0xea/0x1f0 [ 55.203078][ T8075] __x64_sys_read+0x73/0xb0 [ 55.207745][ T8075] do_syscall_64+0x103/0x610 [ 55.212480][ T8075] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.218512][ T8075] [ 55.220811][ T8075] -> (&ctx->fault_pending_wqh){+.+.} { [ 55.226252][ T8075] HARDIRQ-ON-W at: [ 55.230212][ T8075] lock_acquire+0x16f/0x3f0 [ 55.236338][ T8075] _raw_spin_lock+0x2f/0x40 [ 55.242469][ T8075] userfaultfd_release+0x48e/0x6d0 [ 55.249204][ T8075] __fput+0x2e5/0x8d0 [ 55.254816][ T8075] ____fput+0x16/0x20 [ 55.260420][ T8075] task_work_run+0x14a/0x1c0 [ 55.266652][ T8075] do_exit+0x90a/0x2fa0 [ 55.272429][ T8075] do_group_exit+0x135/0x370 [ 55.278641][ T8075] get_signal+0x399/0x1d50 [ 55.284683][ T8075] do_signal+0x87/0x1940 [ 55.290549][ T8075] exit_to_usermode_loop+0x244/0x2c0 [ 55.297456][ T8075] do_syscall_64+0x52d/0x610 [ 55.303686][ T8075] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.311205][ T8075] SOFTIRQ-ON-W at: [ 55.315179][ T8075] lock_acquire+0x16f/0x3f0 [ 55.321302][ T8075] _raw_spin_lock+0x2f/0x40 [ 55.327430][ T8075] userfaultfd_release+0x48e/0x6d0 [ 55.334171][ T8075] __fput+0x2e5/0x8d0 [ 55.339775][ T8075] ____fput+0x16/0x20 [ 55.345378][ T8075] task_work_run+0x14a/0x1c0 [ 55.351590][ T8075] do_exit+0x90a/0x2fa0 [ 55.357384][ T8075] do_group_exit+0x135/0x370 [ 55.363599][ T8075] get_signal+0x399/0x1d50 [ 55.369638][ T8075] do_signal+0x87/0x1940 [ 55.375524][ T8075] exit_to_usermode_loop+0x244/0x2c0 [ 55.382433][ T8075] do_syscall_64+0x52d/0x610 [ 55.388651][ T8075] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.396167][ T8075] INITIAL USE at: [ 55.400053][ T8075] lock_acquire+0x16f/0x3f0 [ 55.406101][ T8075] _raw_spin_lock+0x2f/0x40 [ 55.412140][ T8075] userfaultfd_read+0x540/0x1940 [ 55.418635][ T8075] __vfs_read+0x8d/0x110 [ 55.424415][ T8075] vfs_read+0x194/0x3e0 [ 55.430133][ T8075] ksys_read+0xea/0x1f0 [ 55.435831][ T8075] __x64_sys_read+0x73/0xb0 [ 55.441887][ T8075] do_syscall_64+0x103/0x610 [ 55.448017][ T8075] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.455526][ T8075] } [ 55.458007][ T8075] ... key at: [] __key.45456+0x0/0x40 [ 55.465442][ T8075] ... acquired at: [ 55.469222][ T8075] mark_lock+0x427/0x1380 [ 55.473711][ T8075] __lock_acquire+0x1317/0x3fb0 [ 55.478710][ T8075] lock_acquire+0x16f/0x3f0 [ 55.483362][ T8075] _raw_spin_lock+0x2f/0x40 [ 55.488013][ T8075] userfaultfd_release+0x48e/0x6d0 [ 55.493268][ T8075] __fput+0x2e5/0x8d0 [ 55.497411][ T8075] ____fput+0x16/0x20 [ 55.501544][ T8075] task_work_run+0x14a/0x1c0 [ 55.506287][ T8075] do_exit+0x90a/0x2fa0 [ 55.510604][ T8075] do_group_exit+0x135/0x370 [ 55.515344][ T8075] get_signal+0x399/0x1d50 [ 55.519908][ T8075] do_signal+0x87/0x1940 [ 55.524304][ T8075] exit_to_usermode_loop+0x244/0x2c0 [ 55.529734][ T8075] do_syscall_64+0x52d/0x610 [ 55.534472][ T8075] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.540500][ T8075] [ 55.542797][ T8075] [ 55.542797][ T8075] stack backtrace: [ 55.548668][ T8075] CPU: 1 PID: 8075 Comm: syz-executor179 Not tainted 5.1.0-rc3+ #48 [ 55.556611][ T8075] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.566685][ T8075] Call Trace: [ 55.569951][ T8075] dump_stack+0x172/0x1f0 [ 55.574281][ T8075] print_irq_inversion_bug.part.0+0x2c0/0x2cd [ 55.580322][ T8075] check_usage_backwards.cold+0x1d/0x26 [ 55.585865][ T8075] ? print_shortest_lock_dependencies+0x90/0x90 [ 55.592110][ T8075] ? save_stack_trace+0x1a/0x20 [ 55.596962][ T8075] mark_lock+0x427/0x1380 [ 55.601280][ T8075] ? print_shortest_lock_dependencies+0x90/0x90 [ 55.607494][ T8075] __lock_acquire+0x1317/0x3fb0 [ 55.612322][ T8075] ? trace_hardirqs_off+0x62/0x220 [ 55.617583][ T8075] ? kasan_check_read+0x11/0x20 [ 55.622409][ T8075] ? mark_held_locks+0xf0/0xf0 [ 55.627175][ T8075] ? save_stack+0xa9/0xd0 [ 55.631481][ T8075] ? save_stack+0x45/0xd0 [ 55.635783][ T8075] ? __kasan_slab_free+0x102/0x150 [ 55.640870][ T8075] ? kasan_slab_free+0xe/0x10 [ 55.645519][ T8075] ? kmem_cache_free+0x86/0x260 [ 55.650342][ T8075] ? free_fs_struct+0x4f/0x70 [ 55.654991][ T8075] ? exit_fs+0xf0/0x130 [ 55.659122][ T8075] lock_acquire+0x16f/0x3f0 [ 55.663607][ T8075] ? userfaultfd_release+0x48e/0x6d0 [ 55.668864][ T8075] _raw_spin_lock+0x2f/0x40 [ 55.673341][ T8075] ? userfaultfd_release+0x48e/0x6d0 [ 55.678596][ T8075] userfaultfd_release+0x48e/0x6d0 [ 55.683683][ T8075] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 55.689463][ T8075] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 55.695676][ T8075] ? ima_file_free+0xc9/0x4a0 [ 55.700328][ T8075] ? __might_sleep+0x95/0x190 [ 55.704988][ T8075] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 55.710763][ T8075] __fput+0x2e5/0x8d0 [ 55.714720][ T8075] ____fput+0x16/0x20 [ 55.718672][ T8075] task_work_run+0x14a/0x1c0 [ 55.723237][ T8075] do_exit+0x90a/0x2fa0 [ 55.727384][ T8075] ? get_signal+0x331/0x1d50 [ 55.731950][ T8075] ? mm_update_next_owner+0x640/0x640 [ 55.737298][ T8075] ? kasan_check_write+0x14/0x20 [ 55.742297][ T8075] ? _raw_spin_unlock_irq+0x28/0x90 [ 55.747470][ T8075] ? get_signal+0x331/0x1d50 [ 55.752033][ T8075] ? _raw_spin_unlock_irq+0x28/0x90 [ 55.757204][ T8075] do_group_exit+0x135/0x370 [ 55.761769][ T8075] get_signal+0x399/0x1d50 [ 55.766168][ T8075] ? __x64_sys_io_submit+0x31f/0x580 [ 55.771440][ T8075] do_signal+0x87/0x1940 [ 55.775663][ T8075] ? lock_downgrade+0x880/0x880 [ 55.780485][ T8075] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 55.786699][ T8075] ? kasan_check_read+0x11/0x20 [ 55.791524][ T8075] ? setup_sigcontext+0x7d0/0x7d0 [ 55.796542][ T8075] ? exit_to_usermode_loop+0x43/0x2c0 [ 55.801886][ T8075] ? do_syscall_64+0x52d/0x610 [ 55.806623][ T8075] ? exit_to_usermode_loop+0x43/0x2c0 [ 55.811975][ T8075] ? lockdep_hardirqs_on+0x418/0x5d0 [ 55.817245][ T8075] ? trace_hardirqs_on+0x67/0x230 [ 55.822256][ T8075] exit_to_usermode_loop+0x244/0x2c0 [ 55.827515][ T8075] do_syscall_64+0x52d/0x610 [ 55.832092][ T8075] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.837986][ T8075] RIP: 0033:0x4458d9 [ 55.841882][ T8075] Code: Bad RIP value. [ 55.845932][ T8075] RSP: 002b:00007f5c51168db8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 55.854423][ T8075] RAX: fffffffffffffe00 RBX: 00000000006dac58 RCX: 00000000004458d9 [ 55.862367][ T8075] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dac