syzbot

=====================================================
WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected
syzkaller #0 Not tainted
-----------------------------------------------------
syz.0.17/6126 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire:
ffff8880528a20c0
 (&new->fa_lock){....}-{3:3}, at: kill_fasync_rcu fs/fcntl.c:1124 [inline]
 (&new->fa_lock){....}-{3:3}, at: kill_fasync fs/fcntl.c:1148 [inline]
 (&new->fa_lock){....}-{3:3}, at: kill_fasync+0x138/0x510 fs/fcntl.c:1141

and this task is already holding:
ffff88805166c028 (&client->buffer_lock){....}-{3:3}, at: spin_lock include/linux/spinlock.h:351 [inline]
ffff88805166c028 (&client->buffer_lock){....}-{3:3}, at: evdev_pass_values+0x10e/0x9b0 drivers/input/evdev.c:261
which would create a new lock dependency:
 (&client->buffer_lock){....}-{3:3} -> (&new->fa_lock){....}-{3:3}

but this new dependency connects a SOFTIRQ-irq-safe lock:
 (&dev->event_lock#2){..-.}-{3:3}

... which became SOFTIRQ-irq-safe at:
  lock_acquire kernel/locking/lockdep.c:5868 [inline]
  lock_acquire+0x179/0x350 kernel/locking/lockdep.c:5825
  __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
  _raw_spin_lock_irqsave+0x3a/0x60 kernel/locking/spinlock.c:162
  class_spinlock_irqsave_constructor include/linux/spinlock.h:585 [inline]
  input_inject_event+0x9f/0x3b0 drivers/input/input.c:418
  __led_set_brightness drivers/leds/led-core.c:52 [inline]
  led_set_brightness_nopm drivers/leds/led-core.c:335 [inline]
  led_set_brightness_nosleep drivers/leds/led-core.c:369 [inline]
  led_set_brightness+0x217/0x290 drivers/leds/led-core.c:328
  led_trigger_event drivers/leds/led-triggers.c:420 [inline]
  led_trigger_event+0xda/0x270 drivers/leds/led-triggers.c:408
  kbd_propagate_led_state drivers/tty/vt/keyboard.c:1073 [inline]
  kbd_bh+0x21b/0x300 drivers/tty/vt/keyboard.c:1262
  tasklet_action_common+0x281/0x400 kernel/softirq.c:829
  handle_softirqs+0x219/0x8e0 kernel/softirq.c:579
  __do_softirq kernel/softirq.c:613 [inline]
  invoke_softirq kernel/softirq.c:453 [inline]
  __irq_exit_rcu+0x109/0x170 kernel/softirq.c:680
  irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
  instr_sysvec_call_function arch/x86/kernel/smp.c:257 [inline]
  sysvec_call_function+0xa4/0xc0 arch/x86/kernel/smp.c:257
  asm_sysvec_call_function+0x1a/0x20 arch/x86/include/asm/idtentry.h:710
  console_flush_all+0x9a2/0xc60 kernel/printk/printk.c:3227
  __console_flush_and_unlock kernel/printk/printk.c:3285 [inline]
  console_unlock+0xd8/0x210 kernel/printk/printk.c:3325
  console_callback+0x27c/0x4c0 drivers/tty/vt/vt.c:3232
  process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3236
  process_scheduled_works kernel/workqueue.c:3319 [inline]
  worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
  kthread+0x3c2/0x780 kernel/kthread.c:463
  ret_from_fork+0x5d4/0x6f0 arch/x86/kernel/process.c:148
  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

to a SOFTIRQ-irq-unsafe lock:
 (tasklist_lock){.+.+}-{3:3}

... which became SOFTIRQ-irq-unsafe at:
...
  lock_acquire kernel/locking/lockdep.c:5868 [inline]
  lock_acquire+0x179/0x350 kernel/locking/lockdep.c:5825
  __raw_read_lock include/linux/rwlock_api_smp.h:150 [inline]
  _raw_read_lock+0x5f/0x70 kernel/locking/spinlock.c:228
  __do_wait+0x105/0x890 kernel/exit.c:1662
  do_wait+0x21e/0x5a0 kernel/exit.c:1706
  kernel_wait+0x9f/0x160 kernel/exit.c:1882
  call_usermodehelper_exec_sync kernel/umh.c:136 [inline]
  call_usermodehelper_exec_work+0xf1/0x170 kernel/umh.c:163
  process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3236
  process_scheduled_works kernel/workqueue.c:3319 [inline]
  worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
  kthread+0x3c2/0x780 kernel/kthread.c:463
  ret_from_fork+0x5d4/0x6f0 arch/x86/kernel/process.c:148
  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

other info that might help us debug this:

Chain exists of:
  &dev->event_lock#2 --> &client->buffer_lock --> tasklist_lock

 Possible interrupt unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(tasklist_lock);
                               local_irq_disable();
                               lock(&dev->event_lock#2);
                               lock(&client->buffer_lock);
  <Interrupt>
    lock(&dev->event_lock#2);

 *** DEADLOCK ***

7 locks held by syz.0.17/6126:
 #0: ffff888106cd9118 (&evdev->mutex){+.+.}-{4:4}, at: evdev_write+0x206/0x750 drivers/input/evdev.c:511
 #1: ffff8881006b8230 (&dev->event_lock#2){..-.}-{3:3}, at: class_spinlock_irqsave_constructor include/linux/spinlock.h:585 [inline]
 #1: ffff8881006b8230 (&dev->event_lock#2){..-.}-{3:3}, at: input_inject_event+0x9f/0x3b0 drivers/input/input.c:418
 #2: ffffffff8e5c1260 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #2: ffffffff8e5c1260 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
 #2: ffffffff8e5c1260 (rcu_read_lock){....}-{1:3}, at: class_rcu_constructor include/linux/rcupdate.h:1155 [inline]
 #2: ffffffff8e5c1260 (rcu_read_lock){....}-{1:3}, at: input_inject_event+0xbb/0x3b0 drivers/input/input.c:419
 #3: ffffffff8e5c1260 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #3: ffffffff8e5c1260 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
 #3: ffffffff8e5c1260 (rcu_read_lock){....}-{1:3}, at: class_rcu_constructor include/linux/rcupdate.h:1155 [inline]
 #3: ffffffff8e5c1260 (rcu_read_lock){....}-{1:3}, at: input_pass_values+0x80/0x880 drivers/input/input.c:118
 #4: ffffffff8e5c1260 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #4: ffffffff8e5c1260 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
 #4: ffffffff8e5c1260 (rcu_read_lock){....}-{1:3}, at: evdev_events+0x7b/0x390 drivers/input/evdev.c:298
 #5: ffff88805166c028 (&client->buffer_lock){....}-{3:3}, at: spin_lock include/linux/spinlock.h:351 [inline]
 #5: ffff88805166c028 (&client->buffer_lock){....}-{3:3}, at: evdev_pass_values+0x10e/0x9b0 drivers/input/evdev.c:261
 #6: ffffffff8e5c1260 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #6: ffffffff8e5c1260 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
 #6: ffffffff8e5c1260 (rcu_read_lock){....}-{1:3}, at: kill_fasync fs/fcntl.c:1147 [inline]
 #6: ffffffff8e5c1260 (rcu_read_lock){....}-{1:3}, at: kill_fasync+0x62/0x510 fs/fcntl.c:1141

the dependencies between SOFTIRQ-irq-safe lock and the holding lock:
 -> (&dev->event_lock#2){..-.}-{3:3} {
    IN-SOFTIRQ-W at:
                      lock_acquire kernel/locking/lockdep.c:5868 [inline]
                      lock_acquire+0x179/0x350 kernel/locking/lockdep.c:5825
                      __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
                      _raw_spin_lock_irqsave+0x3a/0x60 kernel/locking/spinlock.c:162
                      class_spinlock_irqsave_constructor include/linux/spinlock.h:585 [inline]
                      input_inject_event+0x9f/0x3b0 drivers/input/input.c:418
                      __led_set_brightness drivers/leds/led-core.c:52 [inline]
                      led_set_brightness_nopm drivers/leds/led-core.c:335 [inline]
                      led_set_brightness_nosleep drivers/leds/led-core.c:369 [inline]
                      led_set_brightness+0x217/0x290 drivers/leds/led-core.c:328
                      led_trigger_event drivers/leds/led-triggers.c:420 [inline]
                      led_trigger_event+0xda/0x270 drivers/leds/led-triggers.c:408
                      kbd_propagate_led_state drivers/tty/vt/keyboard.c:1073 [inline]
                      kbd_bh+0x21b/0x300 drivers/tty/vt/keyboard.c:1262
                      tasklet_action_common+0x281/0x400 kernel/softirq.c:829
                      handle_softirqs+0x219/0x8e0 kernel/softirq.c:579
                      __do_softirq kernel/softirq.c:613 [inline]
                      invoke_softirq kernel/softirq.c:453 [inline]
                      __irq_exit_rcu+0x109/0x170 kernel/softirq.c:680
                      irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
                      instr_sysvec_call_function arch/x86/kernel/smp.c:257 [inline]
                      sysvec_call_function+0xa4/0xc0 arch/x86/kernel/smp.c:257
                      asm_sysvec_call_function+0x1a/0x20 arch/x86/include/asm/idtentry.h:710
                      console_flush_all+0x9a2/0xc60 kernel/printk/printk.c:3227
                      __console_flush_and_unlock kernel/printk/printk.c:3285 [inline]
                      console_unlock+0xd8/0x210 kernel/printk/printk.c:3325
                      console_callback+0x27c/0x4c0 drivers/tty/vt/vt.c:3232
                      process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3236
                      process_scheduled_works kernel/workqueue.c:3319 [inline]
                      worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
                      kthread+0x3c2/0x780 kernel/kthread.c:463
                      ret_from_fork+0x5d4/0x6f0 arch/x86/kernel/process.c:148
                      ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
    INITIAL USE at:
                     lock_acquire kernel/locking/lockdep.c:5868 [inline]
                     lock_acquire+0x179/0x350 kernel/locking/lockdep.c:5825
                     __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
                     _raw_spin_lock_irqsave+0x3a/0x60 kernel/locking/spinlock.c:162
                     class_spinlock_irqsave_constructor include/linux/spinlock.h:585 [inline]
                     input_inject_event+0x9f/0x3b0 drivers/input/input.c:418
                     __led_set_brightness drivers/leds/led-core.c:52 [inline]
                     led_set_brightness_nopm drivers/leds/led-core.c:335 [inline]
                     led_set_brightness_nosleep drivers/leds/led-core.c:369 [inline]
                     led_set_brightness+0x217/0x290 drivers/leds/led-core.c:328
                     kbd_led_trigger_activate+0xcb/0x110 drivers/tty/vt/keyboard.c:1029
                     led_trigger_set+0x59a/0xc50 drivers/leds/led-triggers.c:220
                     led_match_default_trigger drivers/leds/led-triggers.c:277 [inline]
                     led_match_default_trigger drivers/leds/led-triggers.c:271 [inline]
                     led_trigger_set_default drivers/leds/led-triggers.c:300 [inline]
                     led_trigger_set_default+0x1e0/0x2e0 drivers/leds/led-triggers.c:284
                     led_classdev_register_ext+0x7b8/0xa10 drivers/leds/led-class.c:565
                     led_classdev_register include/linux/leds.h:274 [inline]
                     input_leds_connect+0x552/0x8e0 drivers/input/input-leds.c:145
                     input_attach_handler.isra.0+0x176/0x250 drivers/input/input.c:993
                     input_register_device+0xab9/0x1180 drivers/input/input.c:2412
                     atkbd_connect+0x5f8/0xa40 drivers/input/keyboard/atkbd.c:1340
                     serio_connect_driver drivers/input/serio/serio.c:43 [inline]
                     serio_driver_probe+0x7c/0xd0 drivers/input/serio/serio.c:747
                     call_driver_probe drivers/base/dd.c:581 [inline]
                     really_probe+0x241/0xa90 drivers/base/dd.c:659
                     __driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
                     driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
                     __driver_attach+0x283/0x580 drivers/base/dd.c:1217
                     bus_for_each_dev+0x13e/0x1d0 drivers/base/bus.c:370
                     serio_attach_driver drivers/input/serio/serio.c:776 [inline]
                     serio_handle_event+0x335/0xc30 drivers/input/serio/serio.c:213
                     process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3236
                     process_scheduled_works kernel/workqueue.c:3319 [inline]
                     worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
                     kthread+0x3c2/0x780 kernel/kthread.c:463
                     ret_from_fork+0x5d4/0x6f0 arch/x86/kernel/process.c:148
                     ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
  }
  ... key      at: [<ffffffff9b162f60>] __key.7+0x0/0x40
-> (&client->buffer_lock){....}-{3:3} {
   INITIAL USE at:
                   lock_acquire kernel/locking/lockdep.c:5868 [inline]
                   lock_acquire+0x179/0x350 kernel/locking/lockdep.c:5825
                   __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
                   _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
                   spin_lock include/linux/spinlock.h:351 [inline]
                   evdev_pass_values+0x10e/0x9b0 drivers/input/evdev.c:261
                   evdev_events+0x1bb/0x390 drivers/input/evdev.c:306
                   input_pass_values+0x74e/0x880 drivers/input/input.c:127
                   input_event_dispose drivers/input/input.c:341 [inline]
                   input_handle_event+0xf00/0x14d0 drivers/input/input.c:369
                   input_inject_event+0x1e8/0x3b0 drivers/input/input.c:423
                   evdev_write+0x457/0x750 drivers/input/evdev.c:528
                   vfs_write+0x29d/0x11d0 fs/read_write.c:684
                   ksys_write+0x1f8/0x250 fs/read_write.c:738
                   do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
                   do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
                   entry_SYSCALL_64_after_hwframe+0x77/0x7f
 }
 ... key      at: [<ffffffff9b1633e0>] __key.1+0x0/0x40
 ... acquired at:
   __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
   _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
   spin_lock include/linux/spinlock.h:351 [inline]
   evdev_pass_values+0x10e/0x9b0 drivers/input/evdev.c:261
   evdev_events+0x1bb/0x390 drivers/input/evdev.c:306
   input_pass_values+0x74e/0x880 drivers/input/input.c:127
   input_event_dispose drivers/input/input.c:341 [inline]
   input_handle_event+0xf00/0x14d0 drivers/input/input.c:369
   input_inject_event+0x1e8/0x3b0 drivers/input/input.c:423
   evdev_write+0x457/0x750 drivers/input/evdev.c:528
   vfs_write+0x29d/0x11d0 fs/read_write.c:684
   ksys_write+0x1f8/0x250 fs/read_write.c:738
   do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
   do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
   entry_SYSCALL_64_after_hwframe+0x77/0x7f


the dependencies between the lock to be acquired
 and SOFTIRQ-irq-unsafe lock:
  -> (tasklist_lock){.+.+}-{3:3} {
     HARDIRQ-ON-R at:
                        lock_acquire kernel/locking/lockdep.c:5868 [inline]
                        lock_acquire+0x179/0x350 kernel/locking/lockdep.c:5825
                        __raw_read_lock include/linux/rwlock_api_smp.h:150 [inline]
                        _raw_read_lock+0x5f/0x70 kernel/locking/spinlock.c:228
                        __do_wait+0x105/0x890 kernel/exit.c:1662
                        do_wait+0x21e/0x5a0 kernel/exit.c:1706
                        kernel_wait+0x9f/0x160 kernel/exit.c:1882
                        call_usermodehelper_exec_sync kernel/umh.c:136 [inline]
                        call_usermodehelper_exec_work+0xf1/0x170 kernel/umh.c:163
                        process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3236
                        process_scheduled_works kernel/workqueue.c:3319 [inline]
                        worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
                        kthread+0x3c2/0x780 kernel/kthread.c:463
                        ret_from_fork+0x5d4/0x6f0 arch/x86/kernel/process.c:148
                        ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
     SOFTIRQ-ON-R at:
                        lock_acquire kernel/locking/lockdep.c:5868 [inline]
                        lock_acquire+0x179/0x350 kernel/locking/lockdep.c:5825
                        __raw_read_lock include/linux/rwlock_api_smp.h:150 [inline]
                        _raw_read_lock+0x5f/0x70 kernel/locking/spinlock.c:228
                        __do_wait+0x105/0x890 kernel/exit.c:1662
                        do_wait+0x21e/0x5a0 kernel/exit.c:1706
                        kernel_wait+0x9f/0x160 kernel/exit.c:1882
                        call_usermodehelper_exec_sync kernel/umh.c:136 [inline]
                        call_usermodehelper_exec_work+0xf1/0x170 kernel/umh.c:163
                        process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3236
                        process_scheduled_works kernel/workqueue.c:3319 [inline]
                        worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
                        kthread+0x3c2/0x780 kernel/kthread.c:463
                        ret_from_fork+0x5d4/0x6f0 arch/x86/kernel/process.c:148
                        ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
     INITIAL USE at:
                       lock_acquire kernel/locking/lockdep.c:5868 [inline]
                       lock_acquire+0x179/0x350 kernel/locking/lockdep.c:5825
                       __raw_write_lock_irq include/linux/rwlock_api_smp.h:195 [inline]
                       _raw_write_lock_irq+0x36/0x50 kernel/locking/spinlock.c:326
                       copy_process+0x4caf/0x7690 kernel/fork.c:2321
                       kernel_clone+0xfc/0x930 kernel/fork.c:2605
                       user_mode_thread+0xc7/0x110 kernel/fork.c:2683
                       rest_init+0x23/0x2b0 init/main.c:709
                       start_kernel+0x3ee/0x4d0 init/main.c:1097
                       x86_64_start_reservations+0x18/0x30 arch/x86/kernel/head64.c:307
                       x86_64_start_kernel+0x130/0x190 arch/x86/kernel/head64.c:288
                       common_startup_64+0x13e/0x148
     INITIAL READ USE at:
                            lock_acquire kernel/locking/lockdep.c:5868 [inline]
                            lock_acquire+0x179/0x350 kernel/locking/lockdep.c:5825
                            __raw_read_lock include/linux/rwlock_api_smp.h:150 [inline]
                            _raw_read_lock+0x5f/0x70 kernel/locking/spinlock.c:228
                            __do_wait+0x105/0x890 kernel/exit.c:1662
                            do_wait+0x21e/0x5a0 kernel/exit.c:1706
                            kernel_wait+0x9f/0x160 kernel/exit.c:1882
                            call_usermodehelper_exec_sync kernel/umh.c:136 [inline]
                            call_usermodehelper_exec_work+0xf1/0x170 kernel/umh.c:163
                            process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3236
                            process_scheduled_works kernel/workqueue.c:3319 [inline]
                            worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
                            kthread+0x3c2/0x780 kernel/kthread.c:463
                            ret_from_fork+0x5d4/0x6f0 arch/x86/kernel/process.c:148
                            ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
   }
   ... key      at: [<ffffffff8e20c098>] tasklist_lock+0x18/0x40
   ... acquired at:
   __raw_read_lock include/linux/rwlock_api_smp.h:150 [inline]
   _raw_read_lock+0x5f/0x70 kernel/locking/spinlock.c:228
   send_sigio+0xb8/0x3e0 fs/fcntl.c:921
   kill_fasync_rcu fs/fcntl.c:1133 [inline]
   kill_fasync fs/fcntl.c:1148 [inline]
   kill_fasync+0x214/0x510 fs/fcntl.c:1141
   lease_break_callback+0x23/0x30 fs/locks.c:558
   __break_lease+0x674/0x1810 fs/locks.c:1592
   break_lease include/linux/filelock.h:446 [inline]
   vfs_truncate+0x4d3/0x6e0 fs/open.c:112
   do_sys_truncate fs/open.c:141 [inline]
   __do_sys_truncate fs/open.c:153 [inline]
   __se_sys_truncate fs/open.c:151 [inline]
   __x64_sys_truncate+0x172/0x1e0 fs/open.c:151
   do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
   do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
   entry_SYSCALL_64_after_hwframe+0x77/0x7f

 -> (&f_owner->lock){....}-{3:3} {
    INITIAL USE at:
                     lock_acquire kernel/locking/lockdep.c:5868 [inline]
                     lock_acquire+0x179/0x350 kernel/locking/lockdep.c:5825
                     __raw_write_lock_irq include/linux/rwlock_api_smp.h:195 [inline]
                     _raw_write_lock_irq+0x36/0x50 kernel/locking/spinlock.c:326
                     __f_setown+0x61/0x3c0 fs/fcntl.c:136
                     generic_add_lease fs/locks.c:1874 [inline]
                     generic_setlease fs/locks.c:1942 [inline]
                     generic_setlease+0xef2/0x1300 fs/locks.c:1929
                     kernel_setlease+0x106/0x140 fs/locks.c:1991
                     vfs_setlease+0x258/0x2d0 fs/locks.c:2026
                     do_fcntl_add_lease fs/locks.c:2047 [inline]
                     fcntl_setlease+0x3ed/0x5a0 fs/locks.c:2069
                     do_fcntl+0x751/0x15a0 fs/fcntl.c:536
                     __do_sys_fcntl fs/fcntl.c:591 [inline]
                     __se_sys_fcntl fs/fcntl.c:576 [inline]
                     __x64_sys_fcntl+0x163/0x200 fs/fcntl.c:576
                     do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
                     do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
                     entry_SYSCALL_64_after_hwframe+0x77/0x7f
    INITIAL READ USE at:
                          lock_acquire kernel/locking/lockdep.c:5868 [inline]
                          lock_acquire+0x179/0x350 kernel/locking/lockdep.c:5825
                          __raw_read_lock_irq include/linux/rwlock_api_smp.h:169 [inline]
                          _raw_read_lock_irq+0x67/0x80 kernel/locking/spinlock.c:244
                          f_getown+0x57/0x300 fs/fcntl.c:204
                          sock_ioctl+0x1f2/0x6b0 net/socket.c:1304
                          vfs_ioctl fs/ioctl.c:51 [inline]
                          __do_sys_ioctl fs/ioctl.c:598 [inline]
                          __se_sys_ioctl fs/ioctl.c:584 [inline]
                          __x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:584
                          do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
                          do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
                          entry_SYSCALL_64_after_hwframe+0x77/0x7f
  }
  ... key      at: [<ffffffff9ae93360>] __key.1+0x0/0x40
  ... acquired at:
   __raw_read_lock_irqsave include/linux/rwlock_api_smp.h:160 [inline]
   _raw_read_lock_irqsave+0x74/0x90 kernel/locking/spinlock.c:236
   send_sigio+0x31/0x3e0 fs/fcntl.c:907
   kill_fasync_rcu fs/fcntl.c:1133 [inline]
   kill_fasync fs/fcntl.c:1148 [inline]
   kill_fasync+0x214/0x510 fs/fcntl.c:1141
   lease_break_callback+0x23/0x30 fs/locks.c:558
   __break_lease+0x674/0x1810 fs/locks.c:1592
   break_lease include/linux/filelock.h:446 [inline]
   vfs_truncate+0x4d3/0x6e0 fs/open.c:112
   do_sys_truncate fs/open.c:141 [inline]
   __do_sys_truncate fs/open.c:153 [inline]
   __se_sys_truncate fs/open.c:151 [inline]
   __x64_sys_truncate+0x172/0x1e0 fs/open.c:151
   do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
   do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
   entry_SYSCALL_64_after_hwframe+0x77/0x7f

-> (&new->fa_lock){....}-{3:3} {
   INITIAL READ USE at:
                        lock_acquire kernel/locking/lockdep.c:5868 [inline]
                        lock_acquire+0x179/0x350 kernel/locking/lockdep.c:5825
                        __raw_read_lock_irqsave include/linux/rwlock_api_smp.h:160 [inline]
                        _raw_read_lock_irqsave+0x74/0x90 kernel/locking/spinlock.c:236
                        kill_fasync_rcu fs/fcntl.c:1124 [inline]
                        kill_fasync fs/fcntl.c:1148 [inline]
                        kill_fasync+0x138/0x510 fs/fcntl.c:1141
                        lease_break_callback+0x23/0x30 fs/locks.c:558
                        __break_lease+0x674/0x1810 fs/locks.c:1592
                        break_lease include/linux/filelock.h:446 [inline]
                        vfs_truncate+0x4d3/0x6e0 fs/open.c:112
                        do_sys_truncate fs/open.c:141 [inline]
                        __do_sys_truncate fs/open.c:153 [inline]
                        __se_sys_truncate fs/open.c:151 [inline]
                        __x64_sys_truncate+0x172/0x1e0 fs/open.c:151
                        do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
                        do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
                        entry_SYSCALL_64_after_hwframe+0x77/0x7f
 }
 ... key      at: [<ffffffff9ae93320>] __key.0+0x0/0x40
 ... acquired at:
   lock_acquire kernel/locking/lockdep.c:5868 [inline]
   lock_acquire+0x179/0x350 kernel/locking/lockdep.c:5825
   __raw_read_lock_irqsave include/linux/rwlock_api_smp.h:160 [inline]
   _raw_read_lock_irqsave+0x74/0x90 kernel/locking/spinlock.c:236
   kill_fasync_rcu fs/fcntl.c:1124 [inline]
   kill_fasync fs/fcntl.c:1148 [inline]
   kill_fasync+0x138/0x510 fs/fcntl.c:1141
   __pass_event drivers/input/evdev.c:240 [inline]
   evdev_pass_values+0x619/0x9b0 drivers/input/evdev.c:278
   evdev_events+0x1bb/0x390 drivers/input/evdev.c:306
   input_pass_values+0x74e/0x880 drivers/input/input.c:127
   input_event_dispose drivers/input/input.c:341 [inline]
   input_handle_event+0xf00/0x14d0 drivers/input/input.c:369
   input_inject_event+0x1e8/0x3b0 drivers/input/input.c:423
   evdev_write+0x457/0x750 drivers/input/evdev.c:528
   vfs_write+0x29d/0x11d0 fs/read_write.c:684
   ksys_write+0x1f8/0x250 fs/read_write.c:738
   do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
   do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
   entry_SYSCALL_64_after_hwframe+0x77/0x7f


stack backtrace:
CPU: 1 UID: 0 PID: 6126 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_bad_irq_dependency kernel/locking/lockdep.c:2616 [inline]
 check_irq_usage+0x7dc/0x920 kernel/locking/lockdep.c:2857
 check_prev_add kernel/locking/lockdep.c:3169 [inline]
 check_prevs_add kernel/locking/lockdep.c:3284 [inline]
 validate_chain kernel/locking/lockdep.c:3908 [inline]
 __lock_acquire+0x12bc/0x1ce0 kernel/locking/lockdep.c:5237
 lock_acquire kernel/locking/lockdep.c:5868 [inline]
 lock_acquire+0x179/0x350 kernel/locking/lockdep.c:5825
 __raw_read_lock_irqsave include/linux/rwlock_api_smp.h:160 [inline]
 _raw_read_lock_irqsave+0x74/0x90 kernel/locking/spinlock.c:236
 kill_fasync_rcu fs/fcntl.c:1124 [inline]
 kill_fasync fs/fcntl.c:1148 [inline]
 kill_fasync+0x138/0x510 fs/fcntl.c:1141
 __pass_event drivers/input/evdev.c:240 [inline]
 evdev_pass_values+0x619/0x9b0 drivers/input/evdev.c:278
 evdev_events+0x1bb/0x390 drivers/input/evdev.c:306
 input_pass_values+0x74e/0x880 drivers/input/input.c:127
 input_event_dispose drivers/input/input.c:341 [inline]
 input_handle_event+0xf00/0x14d0 drivers/input/input.c:369
 input_inject_event+0x1e8/0x3b0 drivers/input/input.c:423
 evdev_write+0x457/0x750 drivers/input/evdev.c:528
 vfs_write+0x29d/0x11d0 fs/read_write.c:684
 ksys_write+0x1f8/0x250 fs/read_write.c:738
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f445578ebe9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f445664e038 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f44559c6090 RCX: 00007f445578ebe9
RDX: 0000000000001068 RSI: 0000200000000040 RDI: 0000000000000009
RBP: 00007f4455811e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f44559c6128 R14: 00007f44559c6090 R15: 00007ffc20cd8298
 </TASK>