[ 34.269191][ T26] audit: type=1800 audit(1554832467.322:27): pid=7453 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [ 34.294453][ T26] audit: type=1800 audit(1554832467.322:28): pid=7453 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 35.073433][ T26] audit: type=1800 audit(1554832468.172:29): pid=7453 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 35.093756][ T26] audit: type=1800 audit(1554832468.172:30): pid=7453 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.15' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 61.551929][ T7606] [ 61.554289][ T7606] ======================================================== [ 61.561462][ T7606] WARNING: possible irq lock inversion dependency detected [ 61.568642][ T7606] 5.1.0-rc4-next-20190409 #21 Not tainted [ 61.574365][ T7606] -------------------------------------------------------- [ 61.581557][ T7606] syz-executor507/7606 just changed the state of lock: [ 61.588390][ T7606] 00000000a0fcc1b6 (&ctx->fault_pending_wqh){+.+.}, at: userfaultfd_release+0x4ca/0x710 [ 61.598102][ T7606] but this lock was taken by another, SOFTIRQ-safe lock in the past: [ 61.606276][ T7606] (&(&ctx->ctx_lock)->rlock){..-.} [ 61.606284][ T7606] [ 61.606284][ T7606] [ 61.606284][ T7606] and interrupts could create inverse lock ordering between them. [ 61.606284][ T7606] [ 61.626001][ T7606] [ 61.626001][ T7606] other info that might help us debug this: [ 61.634077][ T7606] Chain exists of: [ 61.634077][ T7606] &(&ctx->ctx_lock)->rlock --> &ctx->fd_wqh --> &ctx->fault_pending_wqh [ 61.634077][ T7606] [ 61.648900][ T7606] Possible interrupt unsafe locking scenario: [ 61.648900][ T7606] [ 61.657427][ T7606] CPU0 CPU1 [ 61.663404][ T7606] ---- ---- [ 61.668759][ T7606] lock(&ctx->fault_pending_wqh); [ 61.673846][ T7606] local_irq_disable(); [ 61.680635][ T7606] lock(&(&ctx->ctx_lock)->rlock); [ 61.688456][ T7606] lock(&ctx->fd_wqh); [ 61.695136][ T7606] [ 61.698836][ T7606] lock(&(&ctx->ctx_lock)->rlock); [ 61.704181][ T7606] [ 61.704181][ T7606] *** DEADLOCK *** [ 61.704181][ T7606] [ 61.712431][ T7606] no locks held by syz-executor507/7606. [ 61.718047][ T7606] [ 61.718047][ T7606] the shortest dependencies between 2nd lock and 1st lock: [ 61.727490][ T7606] -> (&(&ctx->ctx_lock)->rlock){..-.} { [ 61.733262][ T7606] IN-SOFTIRQ-W at: [ 61.737418][ T7606] lock_acquire+0x16f/0x3f0 [ 61.743955][ T7606] _raw_spin_lock_irq+0x60/0x80 [ 61.750797][ T7606] free_ioctx_users+0x2d/0x4a0 [ 61.757637][ T7606] percpu_ref_switch_to_atomic_rcu+0x3e7/0x520 [ 61.765811][ T7606] rcu_core+0xbbe/0x14f0 [ 61.772076][ T7606] __do_softirq+0x266/0x95a [ 61.778704][ T7606] irq_exit+0x180/0x1d0 [ 61.784849][ T7606] smp_apic_timer_interrupt+0x14a/0x570 [ 61.792375][ T7606] apic_timer_interrupt+0xf/0x20 [ 61.799296][ T7606] native_safe_halt+0x2/0x10 [ 61.805873][ T7606] arch_cpu_idle+0x10/0x20 [ 61.812278][ T7606] default_idle_call+0x36/0x90 [ 61.819031][ T7606] do_idle+0x386/0x570 [ 61.825082][ T7606] cpu_startup_entry+0x1b/0x20 [ 61.831828][ T7606] start_secondary+0x360/0x4d0 [ 61.838703][ T7606] secondary_startup_64+0xa4/0xb0 [ 61.845829][ T7606] INITIAL USE at: [ 61.849927][ T7606] lock_acquire+0x16f/0x3f0 [ 61.856597][ T7606] _raw_spin_lock_irq+0x60/0x80 [ 61.863343][ T7606] io_submit_one+0xae2/0x2f40 [ 61.870017][ T7606] __x64_sys_io_submit+0x1bd/0x580 [ 61.877251][ T7606] do_syscall_64+0x103/0x610 [ 61.883758][ T7606] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 61.891546][ T7606] } [ 61.894211][ T7606] ... key at: [] __key.52857+0x0/0x40 [ 61.901816][ T7606] ... acquired at: [ 61.905808][ T7606] lock_acquire+0x16f/0x3f0 [ 61.910469][ T7606] _raw_spin_lock+0x2f/0x40 [ 61.915141][ T7606] io_submit_one+0xb27/0x2f40 [ 61.919986][ T7606] __x64_sys_io_submit+0x1bd/0x580 [ 61.925260][ T7606] do_syscall_64+0x103/0x610 [ 61.930004][ T7606] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 61.936046][ T7606] [ 61.938361][ T7606] -> (&ctx->fd_wqh){....} { [ 61.942934][ T7606] INITIAL USE at: [ 61.946906][ T7606] lock_acquire+0x16f/0x3f0 [ 61.953409][ T7606] _raw_spin_lock_irqsave+0x95/0xcd [ 61.960330][ T7606] add_wait_queue+0x4c/0x170 [ 61.966648][ T7606] aio_poll_queue_proc+0x9e/0x110 [ 61.973443][ T7606] userfaultfd_poll+0x93/0x220 [ 61.979935][ T7606] io_submit_one+0xa80/0x2f40 [ 61.986379][ T7606] __x64_sys_io_submit+0x1bd/0x580 [ 61.993457][ T7606] do_syscall_64+0x103/0x610 [ 61.999902][ T7606] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 62.007943][ T7606] } [ 62.010574][ T7606] ... key at: [] __key.45740+0x0/0x40 [ 62.018491][ T7606] ... acquired at: [ 62.022392][ T7606] lock_acquire+0x16f/0x3f0 [ 62.027063][ T7606] _raw_spin_lock+0x2f/0x40 [ 62.031721][ T7606] userfaultfd_read+0x540/0x1940 [ 62.036920][ T7606] __vfs_read+0x8d/0x110 [ 62.041324][ T7606] vfs_read+0x194/0x3e0 [ 62.045640][ T7606] ksys_read+0x14f/0x2d0 [ 62.050159][ T7606] __x64_sys_read+0x73/0xb0 [ 62.054835][ T7606] do_syscall_64+0x103/0x610 [ 62.059683][ T7606] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 62.071788][ T7606] [ 62.079668][ T7606] -> (&ctx->fault_pending_wqh){+.+.} { [ 62.085321][ T7606] HARDIRQ-ON-W at: [ 62.089338][ T7606] lock_acquire+0x16f/0x3f0 [ 62.095482][ T7606] _raw_spin_lock+0x2f/0x40 [ 62.101625][ T7606] userfaultfd_release+0x4ca/0x710 [ 62.108379][ T7606] __fput+0x2e5/0x8d0 [ 62.114084][ T7606] ____fput+0x16/0x20 [ 62.120007][ T7606] task_work_run+0x14a/0x1c0 [ 62.126247][ T7606] do_exit+0x90a/0x2fa0 [ 62.132353][ T7606] do_group_exit+0x135/0x370 [ 62.138588][ T7606] get_signal+0x399/0x1d50 [ 62.144733][ T7606] do_signal+0x87/0x1940 [ 62.150615][ T7606] exit_to_usermode_loop+0x244/0x2c0 [ 62.157663][ T7606] do_syscall_64+0x52d/0x610 [ 62.163893][ T7606] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 62.171410][ T7606] SOFTIRQ-ON-W at: [ 62.175376][ T7606] lock_acquire+0x16f/0x3f0 [ 62.181528][ T7606] _raw_spin_lock+0x2f/0x40 [ 62.187676][ T7606] userfaultfd_release+0x4ca/0x710 [ 62.194428][ T7606] __fput+0x2e5/0x8d0 [ 62.200216][ T7606] ____fput+0x16/0x20 [ 62.205834][ T7606] task_work_run+0x14a/0x1c0 [ 62.212063][ T7606] do_exit+0x90a/0x2fa0 [ 62.217856][ T7606] do_group_exit+0x135/0x370 [ 62.224078][ T7606] get_signal+0x399/0x1d50 [ 62.230242][ T7606] do_signal+0x87/0x1940 [ 62.236299][ T7606] exit_to_usermode_loop+0x244/0x2c0 [ 62.243551][ T7606] do_syscall_64+0x52d/0x610 [ 62.249770][ T7606] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 62.257298][ T7606] INITIAL USE at: [ 62.261248][ T7606] lock_acquire+0x16f/0x3f0 [ 62.267301][ T7606] _raw_spin_lock+0x2f/0x40 [ 62.273350][ T7606] userfaultfd_read+0x540/0x1940 [ 62.279938][ T7606] __vfs_read+0x8d/0x110 [ 62.285744][ T7606] vfs_read+0x194/0x3e0 [ 62.291519][ T7606] ksys_read+0x14f/0x2d0 [ 62.297317][ T7606] __x64_sys_read+0x73/0xb0 [ 62.303381][ T7606] do_syscall_64+0x103/0x610 [ 62.309546][ T7606] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 62.317455][ T7606] } [ 62.319957][ T7606] ... key at: [] __key.45737+0x0/0x40 [ 62.327387][ T7606] ... acquired at: [ 62.331190][ T7606] mark_lock+0x427/0x1380 [ 62.335678][ T7606] __lock_acquire+0x1317/0x3fb0 [ 62.340678][ T7606] lock_acquire+0x16f/0x3f0 [ 62.345330][ T7606] _raw_spin_lock+0x2f/0x40 [ 62.349985][ T7606] userfaultfd_release+0x4ca/0x710 [ 62.355253][ T7606] __fput+0x2e5/0x8d0 [ 62.359393][ T7606] ____fput+0x16/0x20 [ 62.363554][ T7606] task_work_run+0x14a/0x1c0 [ 62.368293][ T7606] do_exit+0x90a/0x2fa0 [ 62.372600][ T7606] do_group_exit+0x135/0x370 [ 62.378034][ T7606] get_signal+0x399/0x1d50 [ 62.382612][ T7606] do_signal+0x87/0x1940 [ 62.387411][ T7606] exit_to_usermode_loop+0x244/0x2c0 [ 62.392861][ T7606] do_syscall_64+0x52d/0x610 [ 62.397619][ T7606] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 62.403662][ T7606] [ 62.405967][ T7606] [ 62.405967][ T7606] stack backtrace: [ 62.411938][ T7606] CPU: 1 PID: 7606 Comm: syz-executor507 Not tainted 5.1.0-rc4-next-20190409 #21 [ 62.421021][ T7606] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.431056][ T7606] Call Trace: [ 62.434329][ T7606] dump_stack+0x172/0x1f0 [ 62.438646][ T7606] print_irq_inversion_bug.part.0+0x2c0/0x2cd [ 62.444702][ T7606] check_usage_backwards.cold+0x1d/0x26 [ 62.450229][ T7606] ? print_shortest_lock_dependencies+0x90/0x90 [ 62.456450][ T7606] ? save_stack_trace+0x1a/0x20 [ 62.461290][ T7606] ? depot_save_stack+0x1de/0x460 [ 62.466645][ T7606] mark_lock+0x427/0x1380 [ 62.471294][ T7606] ? print_shortest_lock_dependencies+0x90/0x90 [ 62.477871][ T7606] __lock_acquire+0x1317/0x3fb0 [ 62.483131][ T7606] ? trace_hardirqs_off+0x62/0x220 [ 62.488418][ T7606] ? kasan_check_read+0x11/0x20 [ 62.493268][ T7606] ? mark_held_locks+0xf0/0xf0 [ 62.498087][ T7606] ? save_stack+0xa9/0xd0 [ 62.502792][ T7606] ? save_stack+0x45/0xd0 [ 62.507502][ T7606] ? __kasan_slab_free+0x102/0x150 [ 62.512619][ T7606] ? kasan_slab_free+0xe/0x10 [ 62.517284][ T7606] ? kmem_cache_free+0x86/0x260 [ 62.522161][ T7606] ? free_fs_struct+0x4f/0x70 [ 62.526815][ T7606] ? exit_fs+0xf0/0x130 [ 62.530956][ T7606] lock_acquire+0x16f/0x3f0 [ 62.535449][ T7606] ? userfaultfd_release+0x4ca/0x710 [ 62.540729][ T7606] _raw_spin_lock+0x2f/0x40 [ 62.545276][ T7606] ? userfaultfd_release+0x4ca/0x710 [ 62.550695][ T7606] userfaultfd_release+0x4ca/0x710 [ 62.555797][ T7606] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 62.561589][ T7606] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 62.567810][ T7606] ? ima_file_free+0xc9/0x4a0 [ 62.572472][ T7606] ? __might_sleep+0x95/0x190 [ 62.577144][ T7606] ? userfaultfd_wake_function+0x2f0/0x2f0 [ 62.582931][ T7606] __fput+0x2e5/0x8d0 [ 62.586908][ T7606] ____fput+0x16/0x20 [ 62.591007][ T7606] task_work_run+0x14a/0x1c0 [ 62.595588][ T7606] do_exit+0x90a/0x2fa0 [ 62.599722][ T7606] ? get_signal+0x331/0x1d50 [ 62.604299][ T7606] ? mm_update_next_owner+0x640/0x640 [ 62.609666][ T7606] ? kasan_check_write+0x14/0x20 [ 62.614589][ T7606] ? _raw_spin_unlock_irq+0x28/0x90 [ 62.619773][ T7606] ? get_signal+0x331/0x1d50 [ 62.624434][ T7606] ? _raw_spin_unlock_irq+0x28/0x90 [ 62.629610][ T7606] do_group_exit+0x135/0x370 [ 62.634393][ T7606] get_signal+0x399/0x1d50 [ 62.638857][ T7606] do_signal+0x87/0x1940 [ 62.643186][ T7606] ? __vfs_read+0x95/0x110 [ 62.647582][ T7606] ? userfaultfd_event_wait_completion+0xa90/0xa90 [ 62.654372][ T7606] ? setup_sigcontext+0x7d0/0x7d0 [ 62.659476][ T7606] ? vfs_read+0x15d/0x3e0 [ 62.663797][ T7606] ? ksys_read+0x1f1/0x2d0 [ 62.668205][ T7606] ? exit_to_usermode_loop+0x43/0x2c0 [ 62.673643][ T7606] ? do_syscall_64+0x52d/0x610 [ 62.678434][ T7606] ? exit_to_usermode_loop+0x43/0x2c0 [ 62.683806][ T7606] ? lockdep_hardirqs_on+0x418/0x5d0 [ 62.689071][ T7606] ? trace_hardirqs_on+0x67/0x230 [ 62.694087][ T7606] exit_to_usermode_loop+0x244/0x2c0 [ 62.699355][ T7606] do_syscall_64+0x52d/0x610 [ 62.703924][ T7606] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 62.709798][ T7606] RIP: 0033:0x441279 [ 62.713761][ T7606] Code: Bad RIP value. [ 62.717816][ T7606] RSP: 002b:00007fff765d66e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 62.726308][ T7606] RAX: fffffffffffffe00 RBX: 0000000000000003 RCX: 0000000000441279 [ 62.734315][ T7606] RDX: 0000000000000107 RSI: 0000000020000180 RDI: 0000000000000004 [ 62.742275][ T7606] RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8 executing program [ 62.750229][ T7606] R10: 00000000004002c8 R11: 0000000000000246 R12: 00000000004020a0 [ 62.758184][ T7606] R13: 0000000000402130 R14: 0000000000000000 R15: 0000000000000000 executing program