syzbot

======================================================
WARNING: possible circular locking dependency detected
4.19.139-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.2/14035 is trying to acquire lock:
000000002b218e46 (&pool->lock/1){..-.}, at: spin_lock include/linux/spinlock.h:329 [inline]
000000002b218e46 (&pool->lock/1){..-.}, at: __queue_work+0x359/0x1100 kernel/workqueue.c:1419

but task is already holding lock:
0000000085007860 (&(&port->lock)->rlock){-.-.}, at: pty_write+0xf6/0x1f0 drivers/tty/pty.c:120

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #4 (&(&port->lock)->rlock){-.-.}:
       tty_port_tty_get+0x1d/0x80 drivers/tty/tty_port.c:289
       tty_port_default_wakeup+0x11/0x40 drivers/tty/tty_port.c:47
       serial8250_tx_chars+0x490/0xaf0 drivers/tty/serial/8250/8250_port.c:1806
       serial8250_handle_irq.part.0+0x24b/0x290 drivers/tty/serial/8250/8250_port.c:1879
       serial8250_handle_irq drivers/tty/serial/8250/8250_port.c:1865 [inline]
       serial8250_default_handle_irq+0xae/0x220 drivers/tty/serial/8250/8250_port.c:1895
       serial8250_interrupt+0xf2/0x1d0 drivers/tty/serial/8250/8250_core.c:125
       __handle_irq_event_percpu+0x27e/0x8e0 kernel/irq/handle.c:149
       handle_irq_event_percpu kernel/irq/handle.c:189 [inline]
       handle_irq_event+0x102/0x285 kernel/irq/handle.c:206
       handle_edge_irq+0x260/0xcf0 kernel/irq/chip.c:797
       generic_handle_irq_desc include/linux/irqdesc.h:155 [inline]
       handle_irq+0x35/0x50 arch/x86/kernel/irq_64.c:87
       do_IRQ+0x93/0x1c0 arch/x86/kernel/irq.c:246
       ret_from_intr+0x0/0x1e
       native_safe_halt+0xe/0x10 arch/x86/include/asm/irqflags.h:60
       arch_safe_halt arch/x86/include/asm/paravirt.h:94 [inline]
       default_idle+0x49/0x310 arch/x86/kernel/process.c:557
       cpuidle_idle_call kernel/sched/idle.c:153 [inline]
       do_idle+0x2ec/0x4b0 kernel/sched/idle.c:263
       cpu_startup_entry+0xc5/0xe0 kernel/sched/idle.c:369
       start_secondary+0x41f/0x580 arch/x86/kernel/smpboot.c:271
       secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:243

-> #3 (&port_lock_key){-.-.}:
       serial8250_console_write+0x89b/0xad0 drivers/tty/serial/8250/8250_port.c:3253
       call_console_drivers kernel/printk/printk.c:1764 [inline]
       console_unlock+0xbb6/0x1110 kernel/printk/printk.c:2457
       vprintk_emit+0x2d1/0x740 kernel/printk/printk.c:1965
       vprintk_func+0x79/0x17e kernel/printk/printk_safe.c:397
       printk+0xba/0xed kernel/printk/printk.c:2040
       register_console+0x87f/0xc90 kernel/printk/printk.c:2773
       univ8250_console_init+0x3a/0x46 drivers/tty/serial/8250/8250_core.c:684
       console_init+0x4cb/0x718 kernel/printk/printk.c:2859
       start_kernel+0x686/0x911 init/main.c:659
       secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:243

-> #2 (console_owner){-...}:
       vprintk_emit+0x2d1/0x740 kernel/printk/printk.c:1965
       vprintk_func+0x79/0x17e kernel/printk/printk_safe.c:397
       printk+0xba/0xed kernel/printk/printk.c:2040
       fail_dump lib/fault-inject.c:44 [inline]
       should_fail+0x66b/0x7b0 lib/fault-inject.c:149
       __should_failslab+0x115/0x180 mm/failslab.c:32
       should_failslab+0x5/0xf mm/slab_common.c:1588
       slab_pre_alloc_hook mm/slab.h:424 [inline]
       slab_alloc mm/slab.c:3383 [inline]
       kmem_cache_alloc+0x3f/0x370 mm/slab.c:3557
       kmem_cache_zalloc include/linux/slab.h:699 [inline]
       fill_pool lib/debugobjects.c:134 [inline]
       __debug_object_init+0x6d9/0x9b0 lib/debugobjects.c:379
       __init_work kernel/workqueue.c:502 [inline]
       insert_wq_barrier kernel/workqueue.c:2546 [inline]
       start_flush_work kernel/workqueue.c:2888 [inline]
       __flush_work+0x270/0x8b0 kernel/workqueue.c:2927
       snd_seq_client_use_ptr+0x356/0x3e0 sound/core/seq/seq_clientmgr.c:164
       snd_seq_info_clients_read+0x135/0x7c0 sound/core/seq/seq_clientmgr.c:2461
       snd_info_seq_show+0xc5/0x110 sound/core/info.c:378
       seq_read+0x4be/0x1160 fs/seq_file.c:229
       proc_reg_read+0x1bd/0x2d0 fs/proc/inode.c:231
       do_loop_readv_writev fs/read_write.c:701 [inline]
       do_loop_readv_writev fs/read_write.c:688 [inline]
       do_iter_read+0x471/0x630 fs/read_write.c:925
       vfs_readv+0xe5/0x150 fs/read_write.c:987
       do_preadv fs/read_write.c:1071 [inline]
       __do_sys_preadv fs/read_write.c:1121 [inline]
       __se_sys_preadv fs/read_write.c:1116 [inline]
       __x64_sys_preadv+0x22b/0x310 fs/read_write.c:1116
       do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
       entry_SYSCALL_64_after_hwframe+0x49/0xbe

-> #1 (&(&pool->lock)->rlock){-.-.}:
       spin_lock include/linux/spinlock.h:329 [inline]
       __queue_work+0x359/0x1100 kernel/workqueue.c:1419
       queue_work_on+0x17e/0x1f0 kernel/workqueue.c:1488
       queue_work include/linux/workqueue.h:512 [inline]
       schedule_work include/linux/workqueue.h:570 [inline]
       put_pwq+0x15a/0x1b0 kernel/workqueue.c:1090
       put_pwq_unlocked kernel/workqueue.c:1107 [inline]
       put_pwq_unlocked kernel/workqueue.c:1099 [inline]
       destroy_workqueue+0x649/0x790 kernel/workqueue.c:4243
       do_floppy_init drivers/block/floppy.c:4737 [inline]
       floppy_async_init+0x1eeb/0x2024 drivers/block/floppy.c:4754
       async_run_entry_fn+0x121/0x530 kernel/async.c:127
       process_one_work+0x864/0x1570 kernel/workqueue.c:2155
       worker_thread+0x64c/0x1130 kernel/workqueue.c:2298
       kthread+0x30b/0x410 kernel/kthread.c:246
       ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

-> #0 (&pool->lock/1){..-.}:
       __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
       _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144
       spin_lock include/linux/spinlock.h:329 [inline]
       __queue_work+0x359/0x1100 kernel/workqueue.c:1419
       queue_work_on+0x17e/0x1f0 kernel/workqueue.c:1488
       pty_write+0x198/0x1f0 drivers/tty/pty.c:125
       n_tty_write+0xa03/0xff0 drivers/tty/n_tty.c:2354
       do_tty_write drivers/tty/tty_io.c:960 [inline]
       tty_write+0x496/0x810 drivers/tty/tty_io.c:1044
       __vfs_write+0xf7/0x770 fs/read_write.c:485
       vfs_write+0x1f3/0x540 fs/read_write.c:549
       ksys_write+0x12b/0x2a0 fs/read_write.c:599
       do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
       entry_SYSCALL_64_after_hwframe+0x49/0xbe

other info that might help us debug this:

Chain exists of:
  &pool->lock/1 --> &port_lock_key --> &(&port->lock)->rlock

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&(&port->lock)->rlock);
                               lock(&port_lock_key);
                               lock(&(&port->lock)->rlock);
  lock(&pool->lock/1);

 *** DEADLOCK ***

5 locks held by syz-executor.2/14035:
 #0: 000000003e205a20 (&tty->ldisc_sem){++++}, at: tty_ldisc_ref_wait+0x22/0x80 drivers/tty/tty_ldisc.c:272
 #1: 000000004abfd3ee (&tty->atomic_write_lock){+.+.}, at: tty_write_lock drivers/tty/tty_io.c:886 [inline]
 #1: 000000004abfd3ee (&tty->atomic_write_lock){+.+.}, at: do_tty_write drivers/tty/tty_io.c:909 [inline]
 #1: 000000004abfd3ee (&tty->atomic_write_lock){+.+.}, at: tty_write+0x24e/0x810 drivers/tty/tty_io.c:1044
 #2: 0000000037f8f813 (&tty->termios_rwsem){++++}, at: n_tty_write+0x1b5/0xff0 drivers/tty/n_tty.c:2314
 #3: 00000000da08a4c8 (&ldata->output_lock){+.+.}, at: n_tty_write+0x9d0/0xff0 drivers/tty/n_tty.c:2353
 #4: 0000000085007860 (&(&port->lock)->rlock){-.-.}, at: pty_write+0xf6/0x1f0 drivers/tty/pty.c:120

stack backtrace:
CPU: 1 PID: 14035 Comm: syz-executor.2 Not tainted 4.19.139-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2fe lib/dump_stack.c:118
 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1221
 check_prev_add kernel/locking/lockdep.c:1865 [inline]
 check_prevs_add kernel/locking/lockdep.c:1978 [inline]
 validate_chain kernel/locking/lockdep.c:2419 [inline]
 __lock_acquire+0x30c9/0x3ff0 kernel/locking/lockdep.c:3415
 lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3907
 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
 _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144
 spin_lock include/linux/spinlock.h:329 [inline]
 __queue_work+0x359/0x1100 kernel/workqueue.c:1419
 queue_work_on+0x17e/0x1f0 kernel/workqueue.c:1488
 pty_write+0x198/0x1f0 drivers/tty/pty.c:125
 n_tty_write+0xa03/0xff0 drivers/tty/n_tty.c:2354
 do_tty_write drivers/tty/tty_io.c:960 [inline]
 tty_write+0x496/0x810 drivers/tty/tty_io.c:1044
 __vfs_write+0xf7/0x770 fs/read_write.c:485
 vfs_write+0x1f3/0x540 fs/read_write.c:549
 ksys_write+0x12b/0x2a0 fs/read_write.c:599
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45d189
Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fac5d89dc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000037cc0 RCX: 000000000045d189
RDX: 00000000ffffff78 RSI: 0000000020000040 RDI: 0000000000000003
RBP: 000000000118cf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118cf4c
R13: 00007ffc6e0c8e2f R14: 00007fac5d89e9c0 R15: 000000000118cf4c
xt_ecn: cannot match TCP bits for non-tcp packets
nla_parse: 20 callbacks suppressed
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'.
xt_ecn: cannot match TCP bits for non-tcp packets
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'.
xt_ecn: cannot match TCP bits for non-tcp packets
xt_ecn: cannot match TCP bits for non-tcp packets
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'.
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'.
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'.
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'.
xt_ecn: cannot match TCP bits for non-tcp packets
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'.
xt_ecn: cannot match TCP bits for non-tcp packets
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'.
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'.
xt_ecn: cannot match TCP bits for non-tcp packets
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'.
xt_ecn: cannot match TCP bits for non-tcp packets
xt_ecn: cannot match TCP bits for non-tcp packets
xt_ecn: cannot match TCP bits for non-tcp packets
nla_parse: 22 callbacks suppressed
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'.
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'.
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'.
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'.
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'.
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'.
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'.
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'.
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'.
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'.