[ 37.339009][ T27] audit: type=1800 audit(1554152554.719:26): pid=7616 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 37.366213][ T27] audit: type=1800 audit(1554152554.719:27): pid=7616 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [ 37.461734][ T27] audit: type=1800 audit(1554152554.859:28): pid=7616 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 38.378201][ T27] audit: type=1800 audit(1554152555.779:29): pid=7616 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.255' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 48.687898][ T7771] [ 48.690282][ T7771] ======================================================== [ 48.697441][ T7771] WARNING: possible irq lock inversion dependency detected [ 48.704604][ T7771] 5.1.0-rc3+ #47 Not tainted [ 48.709177][ T7771] -------------------------------------------------------- [ 48.716379][ T7771] syz-executor550/7771 just changed the state of lock: [ 48.723208][ T7771] 0000000096db345a (&ctx->fault_pending_wqh){+.+.}, at: userfaultfd_release+0x48e/0x6d0 [ 48.732926][ T7771] but this lock was taken by another, SOFTIRQ-safe lock in the past: [ 48.740950][ T7771] (&(&ctx->ctx_lock)->rlock){..-.} [ 48.740956][ T7771] [ 48.740956][ T7771] [ 48.740956][ T7771] and interrupts could create inverse lock ordering between them. [ 48.740956][ T7771] [ 48.760400][ T7771] [ 48.760400][ T7771] other info that might help us debug this: [ 48.768430][ T7771] Chain exists of: [ 48.768430][ T7771] &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh [ 48.768430][ T7771] [ 48.782629][ T7771] Possible interrupt unsafe locking scenario: [ 48.782629][ T7771] [ 48.790918][ T7771] CPU0 CPU1 [ 48.796255][ T7771] ---- ---- [ 48.801589][ T7771] lock(&ctx->fault_pending_wqh); [ 48.806666][ T7771] local_irq_disable(); [ 48.813398][ T7771] lock(&(&ctx->ctx_lock)->rlock); [ 48.821079][ T7771] lock(&ctx->fd_wqh); [ 48.827722][ T7771] [ 48.831146][ T7771] lock(&(&ctx->ctx_lock)->rlock); [ 48.836503][ T7771] [ 48.836503][ T7771] *** DEADLOCK *** [ 48.836503][ T7771] [ 48.844656][ T7771] no locks held by syz-executor550/7771. [ 48.850252][ T7771] [ 48.850252][ T7771] the shortest dependencies between 2nd lock and 1st lock: [ 48.859589][ T7771] -> (&(&ctx->ctx_lock)->rlock){..-.} { [ 48.865280][ T7771] IN-SOFTIRQ-W at: [ 48.869413][ T7771] lock_acquire+0x16f/0x3f0 [ 48.875889][ T7771] _raw_spin_lock_irq+0x60/0x80 [ 48.882708][ T7771] free_ioctx_users+0x2d/0x4a0 [ 48.889438][ T7771] percpu_ref_switch_to_atomic_rcu+0x3e7/0x520 [ 48.897572][ T7771] rcu_core+0x928/0x1390 [ 48.903784][ T7771] __do_softirq+0x266/0x95a [ 48.910260][ T7771] irq_exit+0x180/0x1d0 [ 48.916405][ T7771] smp_apic_timer_interrupt+0x14a/0x570 [ 48.923923][ T7771] apic_timer_interrupt+0xf/0x20 [ 48.930851][ T7771] native_safe_halt+0x2/0x10 [ 48.937412][ T7771] arch_cpu_idle+0x10/0x20 [ 48.943797][ T7771] default_idle_call+0x36/0x90 [ 48.950526][ T7771] do_idle+0x386/0x570 [ 48.956560][ T7771] cpu_startup_entry+0x1b/0x20 [ 48.963289][ T7771] start_secondary+0x360/0x4d0 [ 48.970020][ T7771] secondary_startup_64+0xa4/0xb0 [ 48.977006][ T7771] INITIAL USE at: [ 48.981051][ T7771] lock_acquire+0x16f/0x3f0 [ 48.987433][ T7771] _raw_spin_lock_irq+0x60/0x80 [ 48.994183][ T7771] io_submit_one+0xaec/0x2f90 [ 49.000745][ T7771] __ia32_compat_sys_io_submit+0x1be/0x570 [ 49.008445][ T7771] do_fast_syscall_32+0x281/0xc98 [ 49.015373][ T7771] entry_SYSENTER_compat+0x70/0x7f [ 49.022365][ T7771] } [ 49.025023][ T7771] ... key at: [] __key.52649+0x0/0x40 [ 49.032616][ T7771] ... acquired at: [ 49.036574][ T7771] lock_acquire+0x16f/0x3f0 [ 49.041222][ T7771] _raw_spin_lock+0x2f/0x40 [ 49.045870][ T7771] io_submit_one+0xb31/0x2f90 [ 49.050693][ T7771] __ia32_compat_sys_io_submit+0x1be/0x570 [ 49.056642][ T7771] do_fast_syscall_32+0x281/0xc98 [ 49.061809][ T7771] entry_SYSENTER_compat+0x70/0x7f [ 49.067057][ T7771] [ 49.069357][ T7771] -> (&ctx->fd_wqh){....} { [ 49.073920][ T7771] INITIAL USE at: [ 49.077962][ T7771] lock_acquire+0x16f/0x3f0 [ 49.084174][ T7771] _raw_spin_lock_irq+0x60/0x80 [ 49.090734][ T7771] userfaultfd_read+0x27a/0x1940 [ 49.097386][ T7771] __vfs_read+0x8d/0x110 [ 49.103422][ T7771] vfs_read+0x194/0x3e0 [ 49.109286][ T7771] ksys_read+0xea/0x1f0 [ 49.115147][ T7771] __ia32_sys_read+0x71/0xb0 [ 49.121459][ T7771] do_fast_syscall_32+0x281/0xc98 [ 49.128190][ T7771] entry_SYSENTER_compat+0x70/0x7f [ 49.135000][ T7771] } [ 49.137563][ T7771] ... key at: [] __key.45459+0x0/0x40 [ 49.145070][ T7771] ... acquired at: [ 49.148934][ T7771] lock_acquire+0x16f/0x3f0 [ 49.153579][ T7771] _raw_spin_lock+0x2f/0x40 [ 49.158227][ T7771] userfaultfd_read+0x540/0x1940 [ 49.163309][ T7771] __vfs_read+0x8d/0x110 [ 49.167694][ T7771] vfs_read+0x194/0x3e0 [ 49.171991][ T7771] ksys_read+0xea/0x1f0 [ 49.176292][ T7771] __ia32_sys_read+0x71/0xb0 [ 49.181028][ T7771] do_fast_syscall_32+0x281/0xc98 [ 49.186210][ T7771] entry_SYSENTER_compat+0x70/0x7f [ 49.191460][ T7771] [ 49.193760][ T7771] -> (&ctx->fault_pending_wqh){+.+.} { [ 49.199189][ T7771] HARDIRQ-ON-W at: [ 49.203142][ T7771] lock_acquire+0x16f/0x3f0 [ 49.209277][ T7771] _raw_spin_lock+0x2f/0x40 [ 49.215496][ T7771] userfaultfd_release+0x48e/0x6d0 [ 49.222225][ T7771] __fput+0x2e5/0x8d0 [ 49.227842][ T7771] ____fput+0x16/0x20 [ 49.233458][ T7771] task_work_run+0x14a/0x1c0 [ 49.239665][ T7771] do_exit+0x90a/0x2fa0 [ 49.245439][ T7771] do_group_exit+0x135/0x370 [ 49.251650][ T7771] get_signal+0x399/0x1d50 [ 49.257685][ T7771] do_signal+0x87/0x1940 [ 49.263554][ T7771] exit_to_usermode_loop+0x244/0x2c0 [ 49.270465][ T7771] do_fast_syscall_32+0xa9d/0xc98 [ 49.277115][ T7771] entry_SYSENTER_compat+0x70/0x7f [ 49.283841][ T7771] SOFTIRQ-ON-W at: [ 49.287806][ T7771] lock_acquire+0x16f/0x3f0 [ 49.293936][ T7771] _raw_spin_lock+0x2f/0x40 [ 49.300069][ T7771] userfaultfd_release+0x48e/0x6d0 [ 49.306806][ T7771] __fput+0x2e5/0x8d0 [ 49.312411][ T7771] ____fput+0x16/0x20 [ 49.318018][ T7771] task_work_run+0x14a/0x1c0 [ 49.324233][ T7771] do_exit+0x90a/0x2fa0 [ 49.330019][ T7771] do_group_exit+0x135/0x370 [ 49.336234][ T7771] get_signal+0x399/0x1d50 [ 49.342277][ T7771] do_signal+0x87/0x1940 [ 49.348145][ T7771] exit_to_usermode_loop+0x244/0x2c0 [ 49.355058][ T7771] do_fast_syscall_32+0xa9d/0xc98 [ 49.361707][ T7771] entry_SYSENTER_compat+0x70/0x7f [ 49.368452][ T7771] INITIAL USE at: [ 49.372325][ T7771] lock_acquire+0x16f/0x3f0 [ 49.378371][ T7771] _raw_spin_lock+0x2f/0x40 [ 49.384416][ T7771] userfaultfd_read+0x540/0x1940 [ 49.390894][ T7771] __vfs_read+0x8d/0x110 [ 49.396706][ T7771] vfs_read+0x194/0x3e0 [ 49.402422][ T7771] ksys_read+0xea/0x1f0 [ 49.408112][ T7771] __ia32_sys_read+0x71/0xb0 [ 49.414240][ T7771] do_fast_syscall_32+0x281/0xc98 [ 49.420804][ T7771] entry_SYSENTER_compat+0x70/0x7f [ 49.427445][ T7771] } [ 49.429924][ T7771] ... key at: [] __key.45456+0x0/0x40 [ 49.437386][ T7771] ... acquired at: [ 49.441177][ T7771] mark_lock+0x427/0x1380 [ 49.446456][ T7771] __lock_acquire+0x1317/0x3fb0 [ 49.451452][ T7771] lock_acquire+0x16f/0x3f0 [ 49.456098][ T7771] _raw_spin_lock+0x2f/0x40 [ 49.460745][ T7771] userfaultfd_release+0x48e/0x6d0 [ 49.465999][ T7771] __fput+0x2e5/0x8d0 [ 49.470126][ T7771] ____fput+0x16/0x20 [ 49.474253][ T7771] task_work_run+0x14a/0x1c0 [ 49.478990][ T7771] do_exit+0x90a/0x2fa0 [ 49.483303][ T7771] do_group_exit+0x135/0x370 [ 49.488039][ T7771] get_signal+0x399/0x1d50 [ 49.492598][ T7771] do_signal+0x87/0x1940 [ 49.496987][ T7771] exit_to_usermode_loop+0x244/0x2c0 [ 49.502420][ T7771] do_fast_syscall_32+0xa9d/0xc98 [ 49.507594][ T7771] entry_SYSENTER_compat+0x70/0x7f [ 49.512845][ T7771] [ 49.515160][ T7771] [ 49.515160][ T7771] stack backtrace: [ 49.521027][ T7771] CPU: 1 PID: 7771 Comm: syz-executor550 Not tainted 5.1.0-rc3+ #47 [ 49.528969][ T7771] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.538994][ T7771] Call Trace: [ 49.542263][ T7771] dump_stack+0x172/0x1f0 [ 49.546573][ T7771] print_irq_inversion_bug.part.0+0x2c0/0x2cd [ 49.552617][ T7771] check_usage_backwards.cold+0x1d/0x26 [ 49.558140][ T7771] ? print_shortest_lock_dependencies+0x90/0x90 [ 49.564369][ T7771] ? save_stack_trace+0x1a/0x20 [ 49.569208][ T7771] mark_lock+0x427/0x1380 [ 49.573511][ T7771] ? print_shortest_lock_dependencies+0x90/0x90 [ 49.579728][ T7771] __lock_acquire+0x1317/0x3fb0 [ 49.584550][ T7771] ? trace_hardirqs_off+0x62/0x220 [ 49.589653][ T7771] ? kasan_check_read+0x11/0x20 [ 49.594480][ T7771] ? mark_held_locks+0xf0/0xf0 [ 49.599211][ T7771] ? save_stack+0xa9/0xd0 [ 49.603512][ T7771] ? save_stack+0x45/0xd0 [ 49.607813][ T7771] ? __kasan_slab_free+0x102/0x150 [ 49.612909][ T7771] ? kasan_slab_free+0xe/0x10 [ 49.617557][ T7771] ? kmem_cache_free+0x86/0x260 [ 49.622382][ T7771] ? free_fs_struct+0x4f/0x70 [ 49.627050][ T7771] ? exit_fs+0xf0/0x130 [ 49.631218][ T7771] lock_acquire+0x16f/0x3f0 [ 49.635708][ T7771] ? userfaultfd_release+0x48e/0x6d0 [ 49.640977][ T7771] _raw_spin_lock+0x2f/0x40 [ 49.645471][ T7771] ? userfaultfd_release+0x48e/0x6d0 [ 49.650732][ T7771] userfaultfd_release+0x48e/0x6d0 [ 49.655816][ T7771] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 49.661617][ T7771] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 49.667843][ T7771] ? ima_file_free+0xc9/0x4a0 [ 49.672490][ T7771] ? __might_sleep+0x95/0x190 [ 49.677141][ T7771] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 49.682917][ T7771] __fput+0x2e5/0x8d0 [ 49.686873][ T7771] ____fput+0x16/0x20 [ 49.690843][ T7771] task_work_run+0x14a/0x1c0 [ 49.695407][ T7771] do_exit+0x90a/0x2fa0 [ 49.699535][ T7771] ? get_signal+0x331/0x1d50 [ 49.704110][ T7771] ? mm_update_next_owner+0x640/0x640 [ 49.709453][ T7771] ? kasan_check_write+0x14/0x20 [ 49.714365][ T7771] ? _raw_spin_unlock_irq+0x28/0x90 [ 49.719554][ T7771] ? get_signal+0x331/0x1d50 [ 49.724119][ T7771] ? _raw_spin_unlock_irq+0x28/0x90 [ 49.729293][ T7771] do_group_exit+0x135/0x370 [ 49.733857][ T7771] get_signal+0x399/0x1d50 [ 49.738250][ T7771] ? __ia32_compat_sys_io_submit+0x2fe/0x570 [ 49.744203][ T7771] do_signal+0x87/0x1940 [ 49.748433][ T7771] ? lock_downgrade+0x880/0x880 [ 49.753254][ T7771] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 49.759462][ T7771] ? setup_sigcontext+0x7d0/0x7d0 [ 49.764461][ T7771] ? exit_to_usermode_loop+0x43/0x2c0 [ 49.769803][ T7771] ? do_fast_syscall_32+0xa9d/0xc98 [ 49.774973][ T7771] ? exit_to_usermode_loop+0x43/0x2c0 [ 49.780313][ T7771] ? lockdep_hardirqs_on+0x418/0x5d0 [ 49.785576][ T7771] ? trace_hardirqs_on+0x67/0x230 [ 49.790572][ T7771] exit_to_usermode_loop+0x244/0x2c0 [ 49.795844][ T7771] do_fast_syscall_32+0xa9d/0xc98 [ 49.800842][ T7771] entry_SYSENTER_compat+0x70/0x7f [ 49.805922][ T7771] RIP: 0023:0xf7f3c869 [ 49.809971][ T7771] Code: Bad RIP value. [ 49.814007][ T7771] RSP: 002b:00000000f7f171ec EFLAGS: 00000296 ORIG_RAX: 00000000000000f0 [ 49.822401][ T7771] RAX: fffffffffffffe00 RBX: 00000000080fb018 RCX: 0000000000000080 [ 49.830360][ T7771] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000f7ecb000 [ 49.838315][ T7771] RBP: 0000000000000001 R08: 000