[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.222' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 86.575829][ T37] audit: type=1400 audit(1619774951.232:8): avc: denied { execmem } for pid=8391 comm="syz-executor132" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 86.845882][ T36] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 87.205958][ T36] usb 1-1: config 0 has an invalid interface number: 123 but max is 0 [ 87.214292][ T36] usb 1-1: config 0 has an invalid descriptor of length 0, skipping remainder of the config [ 87.225067][ T36] usb 1-1: config 0 has no interface number 0 [ 87.232079][ T36] usb 1-1: config 0 interface 123 altsetting 0 has 0 endpoint descriptors, different from the interface descriptor's value: 15 [ 87.405958][ T36] usb 1-1: New USB device found, idVendor=0781, idProduct=0100, bcdDevice= 1.00 [ 87.415026][ T36] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 87.423335][ T36] usb 1-1: Product: syz [ 87.427724][ T36] usb 1-1: Manufacturer: syz [ 87.432341][ T36] usb 1-1: SerialNumber: syz [ 87.445307][ T36] usb 1-1: config 0 descriptor?? [ 87.705158][ T8391] [ 87.707635][ T8391] ======================================================== [ 87.714821][ T8391] WARNING: possible irq lock inversion dependency detected [ 87.722005][ T8391] 5.12.0-syzkaller #0 Not tainted [ 87.727013][ T8391] -------------------------------------------------------- [ 87.734204][ T8391] syz-executor132/8391 just changed the state of lock: [ 87.741034][ T8391] ffff888015967bf8 (&f->f_owner.lock){.+..}-{2:2}, at: do_fcntl+0x8b4/0x1200 [ 87.749838][ T8391] but this lock was taken by another, HARDIRQ-safe lock in the past: [ 87.757886][ T8391] (&dev->event_lock){-...}-{2:2} [ 87.757909][ T8391] [ 87.757909][ T8391] [ 87.757909][ T8391] and interrupts could create inverse lock ordering between them. [ 87.757909][ T8391] [ 87.777243][ T8391] [ 87.777243][ T8391] other info that might help us debug this: [ 87.785300][ T8391] Chain exists of: [ 87.785300][ T8391] &dev->event_lock --> &new->fa_lock --> &f->f_owner.lock [ 87.785300][ T8391] [ 87.798322][ T8391] Possible interrupt unsafe locking scenario: [ 87.798322][ T8391] [ 87.806626][ T8391] CPU0 CPU1 [ 87.811991][ T8391] ---- ---- [ 87.817364][ T8391] lock(&f->f_owner.lock); [ 87.821855][ T8391] local_irq_disable(); [ 87.828616][ T8391] lock(&dev->event_lock); [ 87.835626][ T8391] lock(&new->fa_lock); [ 87.842389][ T8391] [ 87.845833][ T8391] lock(&dev->event_lock); [ 87.850511][ T8391] [ 87.850511][ T8391] *** DEADLOCK *** [ 87.850511][ T8391] [ 87.858637][ T8391] no locks held by syz-executor132/8391. [ 87.864269][ T8391] [ 87.864269][ T8391] the shortest dependencies between 2nd lock and 1st lock: [ 87.873644][ T8391] -> (&dev->event_lock){-...}-{2:2} { [ 87.879293][ T8391] IN-HARDIRQ-W at: [ 87.883520][ T8391] lock_acquire+0x1ab/0x740 [ 87.890205][ T8391] _raw_spin_lock_irqsave+0x39/0x50 [ 87.897598][ T8391] input_event+0x7b/0xb0 [ 87.904018][ T8391] psmouse_report_standard_buttons+0x2c/0x80 [ 87.912166][ T8391] psmouse_process_byte+0x1e1/0x890 [ 87.919537][ T8391] psmouse_handle_byte+0x41/0x1b0 [ 87.926863][ T8391] psmouse_interrupt+0x304/0xf00 [ 87.933975][ T8391] serio_interrupt+0x88/0x150 [ 87.940822][ T8391] i8042_interrupt+0x27a/0x520 [ 87.947767][ T8391] __handle_irq_event_percpu+0x303/0x8f0 [ 87.955565][ T8391] handle_irq_event+0x102/0x290 [ 87.962603][ T8391] handle_edge_irq+0x25f/0xd00 [ 87.969556][ T8391] __common_interrupt+0x9e/0x200 [ 87.976686][ T8391] common_interrupt+0x9f/0xd0 [ 87.983547][ T8391] asm_common_interrupt+0x1e/0x40 [ 87.990753][ T8391] _raw_spin_unlock_irqrestore+0x38/0x70 [ 87.998554][ T8391] i8042_command+0x12e/0x150 [ 88.005327][ T8391] i8042_aux_write+0xd7/0x120 [ 88.012193][ T8391] ps2_do_sendbyte+0x2cf/0x720 [ 88.019129][ T8391] ps2_sendbyte+0x58/0x150 [ 88.025745][ T8391] cypress_ps2_sendbyte+0x2e/0x160 [ 88.033042][ T8391] cypress_send_ext_cmd+0x1d0/0x8e0 [ 88.040415][ T8391] cypress_detect+0x75/0x190 [ 88.047191][ T8391] psmouse_try_protocol+0x211/0x370 [ 88.054565][ T8391] psmouse_extensions+0x557/0x930 [ 88.061763][ T8391] psmouse_switch_protocol+0x52a/0x740 [ 88.069392][ T8391] psmouse_connect+0x5e9/0xfd0 [ 88.076326][ T8391] serio_driver_probe+0x72/0xa0 [ 88.083362][ T8391] really_probe+0x291/0xf60 [ 88.090036][ T8391] driver_probe_device+0x298/0x410 [ 88.097337][ T8391] device_driver_attach+0x228/0x290 [ 88.104708][ T8391] __driver_attach+0x190/0x340 [ 88.111643][ T8391] bus_for_each_dev+0x147/0x1d0 [ 88.118677][ T8391] serio_handle_event+0x5f6/0xa30 [ 88.125870][ T8391] process_one_work+0x98d/0x1600 [ 88.132992][ T8391] worker_thread+0x64c/0x1120 [ 88.139851][ T8391] kthread+0x3b1/0x4a0 [ 88.146087][ T8391] ret_from_fork+0x1f/0x30 [ 88.152721][ T8391] INITIAL USE at: [ 88.156858][ T8391] lock_acquire+0x1ab/0x740 [ 88.163453][ T8391] _raw_spin_lock_irqsave+0x39/0x50 [ 88.170741][ T8391] input_inject_event+0xa6/0x310 [ 88.177765][ T8391] led_set_brightness_nosleep+0xe6/0x1a0 [ 88.185478][ T8391] led_set_brightness+0x134/0x170 [ 88.192597][ T8391] led_trigger_event+0x75/0xd0 [ 88.199434][ T8391] kbd_led_trigger_activate+0xc9/0x100 [ 88.206974][ T8391] led_trigger_set+0x61e/0xbd0 [ 88.213832][ T8391] led_trigger_set_default+0x1a6/0x230 [ 88.221366][ T8391] led_classdev_register_ext+0x5b1/0x7c0 [ 88.229095][ T8391] input_leds_connect+0x3fb/0x740 [ 88.236283][ T8391] input_attach_handler+0x180/0x1f0 [ 88.243567][ T8391] input_register_device.cold+0xf0/0x307 [ 88.251285][ T8391] atkbd_connect+0x739/0xa10 [ 88.257957][ T8391] serio_driver_probe+0x72/0xa0 [ 88.264896][ T8391] really_probe+0x291/0xf60 [ 88.271505][ T8391] driver_probe_device+0x298/0x410 [ 88.278713][ T8391] device_driver_attach+0x228/0x290 [ 88.286014][ T8391] __driver_attach+0x190/0x340 [ 88.292859][ T8391] bus_for_each_dev+0x147/0x1d0 [ 88.299786][ T8391] serio_handle_event+0x5f6/0xa30 [ 88.306890][ T8391] process_one_work+0x98d/0x1600 [ 88.313903][ T8391] worker_thread+0x64c/0x1120 [ 88.320669][ T8391] kthread+0x3b1/0x4a0 [ 88.326805][ T8391] ret_from_fork+0x1f/0x30 [ 88.333398][ T8391] } [ 88.336148][ T8391] ... key at: [] __key.8+0x0/0x40 [ 88.343510][ T8391] ... acquired at: [ 88.347561][ T8391] _raw_spin_lock+0x2a/0x40 [ 88.352362][ T8391] evdev_pass_values.part.0+0xf6/0x970 [ 88.358076][ T8391] evdev_events+0x28b/0x3f0 [ 88.362745][ T8391] input_to_handler+0x2a0/0x4c0 [ 88.367786][ T8391] input_pass_values.part.0+0x284/0x700 [ 88.373516][ T8391] input_handle_event+0x373/0x1440 [ 88.378793][ T8391] input_inject_event+0x2f5/0x310 [ 88.383977][ T8391] evdev_write+0x430/0x760 [ 88.388569][ T8391] vfs_write+0x28e/0xa30 [ 88.393004][ T8391] ksys_write+0x1ee/0x250 [ 88.397507][ T8391] do_syscall_64+0x3a/0xb0 [ 88.402792][ T8391] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 88.408847][ T8391] [ 88.411166][ T8391] -> (&client->buffer_lock){....}-{2:2} { [ 88.417053][ T8391] INITIAL USE at: [ 88.421098][ T8391] lock_acquire+0x1ab/0x740 [ 88.427538][ T8391] _raw_spin_lock+0x2a/0x40 [ 88.433949][ T8391] evdev_pass_values.part.0+0xf6/0x970 [ 88.441320][ T8391] evdev_events+0x28b/0x3f0 [ 88.447821][ T8391] input_to_handler+0x2a0/0x4c0 [ 88.454571][ T8391] input_pass_values.part.0+0x284/0x700 [ 88.462035][ T8391] input_handle_event+0x373/0x1440 [ 88.469051][ T8391] input_inject_event+0x2f5/0x310 [ 88.475993][ T8391] evdev_write+0x430/0x760 [ 88.482329][ T8391] vfs_write+0x28e/0xa30 [ 88.488572][ T8391] ksys_write+0x1ee/0x250 [ 88.494829][ T8391] do_syscall_64+0x3a/0xb0 [ 88.501153][ T8391] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 88.508959][ T8391] } [ 88.511644][ T8391] ... key at: [] __key.4+0x0/0x40 [ 88.519080][ T8391] ... acquired at: [ 88.523042][ T8391] _raw_read_lock+0x5b/0x70 [ 88.527709][ T8391] kill_fasync+0x14b/0x460 [ 88.532306][ T8391] evdev_pass_values.part.0+0x64e/0x970 [ 88.538035][ T8391] evdev_events+0x28b/0x3f0 [ 88.542710][ T8391] input_to_handler+0x2a0/0x4c0 [ 88.547751][ T8391] input_pass_values.part.0+0x284/0x700 [ 88.553463][ T8391] input_handle_event+0x373/0x1440 [ 88.558756][ T8391] input_inject_event+0x2f5/0x310 [ 88.563962][ T8391] evdev_write+0x430/0x760 [ 88.568568][ T8391] vfs_write+0x28e/0xa30 [ 88.572996][ T8391] ksys_write+0x1ee/0x250 [ 88.577500][ T8391] do_syscall_64+0x3a/0xb0 [ 88.582079][ T8391] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 88.588150][ T8391] [ 88.590474][ T8391] -> (&new->fa_lock){....}-{2:2} { [ 88.595664][ T8391] INITIAL READ USE at: [ 88.600072][ T8391] lock_acquire+0x1ab/0x740 [ 88.606741][ T8391] _raw_read_lock+0x5b/0x70 [ 88.613403][ T8391] kill_fasync+0x14b/0x460 [ 88.619998][ T8391] evdev_pass_values.part.0+0x64e/0x970 [ 88.627711][ T8391] evdev_events+0x28b/0x3f0 [ 88.634382][ T8391] input_to_handler+0x2a0/0x4c0 [ 88.641592][ T8391] input_pass_values.part.0+0x284/0x700 [ 88.649363][ T8391] input_handle_event+0x373/0x1440 [ 88.656650][ T8391] input_inject_event+0x2f5/0x310 [ 88.663846][ T8391] evdev_write+0x430/0x760 [ 88.670461][ T8391] vfs_write+0x28e/0xa30 [ 88.676885][ T8391] ksys_write+0x1ee/0x250 [ 88.683399][ T8391] do_syscall_64+0x3a/0xb0 [ 88.690008][ T8391] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 88.698063][ T8391] } [ 88.700633][ T8391] ... key at: [] __key.0+0x0/0x40 [ 88.707833][ T8391] ... acquired at: [ 88.711720][ T8391] _raw_read_lock_irqsave+0x70/0x90 [ 88.717089][ T8391] send_sigio+0x24/0x370 [ 88.721487][ T8391] kill_fasync+0x205/0x460 [ 88.726070][ T8391] evdev_pass_values.part.0+0x64e/0x970 [ 88.731791][ T8391] evdev_events+0x28b/0x3f0 [ 88.736451][ T8391] input_to_handler+0x2a0/0x4c0 [ 88.741473][ T8391] input_pass_values.part.0+0x284/0x700 [ 88.747201][ T8391] input_handle_event+0x373/0x1440 [ 88.752487][ T8391] input_inject_event+0x2f5/0x310 [ 88.757692][ T8391] evdev_write+0x430/0x760 [ 88.762269][ T8391] vfs_write+0x28e/0xa30 [ 88.766671][ T8391] ksys_write+0x1ee/0x250 [ 88.771187][ T8391] do_syscall_64+0x3a/0xb0 [ 88.775948][ T8391] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 88.782111][ T8391] [ 88.784502][ T8391] -> (&f->f_owner.lock){.+..}-{2:2} { [ 88.789864][ T8391] HARDIRQ-ON-R at: [ 88.793848][ T8391] lock_acquire+0x1ab/0x740 [ 88.799999][ T8391] _raw_read_lock+0x5b/0x70 [ 88.806263][ T8391] do_fcntl+0x8b4/0x1200 [ 88.812142][ T8391] __x64_sys_fcntl+0x165/0x1e0 [ 88.818566][ T8391] do_syscall_64+0x3a/0xb0 [ 88.824649][ T8391] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 88.832203][ T8391] INITIAL READ USE at: [ 88.836517][ T8391] lock_acquire+0x1ab/0x740 [ 88.843071][ T8391] _raw_read_lock_irqsave+0x70/0x90 [ 88.850270][ T8391] send_sigio+0x24/0x370 [ 88.856505][ T8391] kill_fasync+0x205/0x460 [ 88.862913][ T8391] evdev_pass_values.part.0+0x64e/0x970 [ 88.870464][ T8391] evdev_events+0x28b/0x3f0 [ 88.876963][ T8391] input_to_handler+0x2a0/0x4c0 [ 88.884811][ T8391] input_pass_values.part.0+0x284/0x700 [ 88.892363][ T8391] input_handle_event+0x373/0x1440 [ 88.899466][ T8391] input_inject_event+0x2f5/0x310 [ 88.906481][ T8391] evdev_write+0x430/0x760 [ 88.912891][ T8391] vfs_write+0x28e/0xa30 [ 88.919140][ T8391] ksys_write+0x1ee/0x250 [ 88.925486][ T8391] do_syscall_64+0x3a/0xb0 [ 88.931930][ T8391] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 88.939821][ T8391] } [ 88.942306][ T8391] ... key at: [] __key.5+0x0/0x40 [ 88.949406][ T8391] ... acquired at: [ 88.953193][ T8391] __lock_acquire+0x120f/0x5230 [ 88.958314][ T8391] lock_acquire+0x1ab/0x740 [ 88.963007][ T8391] _raw_read_lock+0x5b/0x70 [ 88.967682][ T8391] do_fcntl+0x8b4/0x1200 [ 88.972095][ T8391] __x64_sys_fcntl+0x165/0x1e0 [ 88.977082][ T8391] do_syscall_64+0x3a/0xb0 [ 88.981683][ T8391] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 88.987757][ T8391] [ 88.990064][ T8391] [ 88.990064][ T8391] stack backtrace: [ 88.995940][ T8391] CPU: 0 PID: 8391 Comm: syz-executor132 Not tainted 5.12.0-syzkaller #0 [ 89.004427][ T8391] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 89.014477][ T8391] Call Trace: [ 89.017753][ T8391] dump_stack+0x141/0x1d7 [ 89.022097][ T8391] mark_lock.cold+0x1d/0x8e [ 89.026596][ T8391] ? lock_chain_count+0x20/0x20 [ 89.031617][ T8391] ? kasan_save_stack+0x32/0x40 [ 89.036472][ T8391] ? kasan_save_stack+0x1b/0x40 [ 89.041323][ T8391] ? kasan_set_track+0x1c/0x30 [ 89.046074][ T8391] ? kasan_set_free_info+0x20/0x30 [ 89.051176][ T8391] ? mark_lock+0xef/0x17b0 [ 89.055605][ T8391] __lock_acquire+0x120f/0x5230 [ 89.060449][ T8391] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 89.066419][ T8391] lock_acquire+0x1ab/0x740 [ 89.070916][ T8391] ? do_fcntl+0x8b4/0x1200 [ 89.075314][ T8391] ? lock_release+0x720/0x720 [ 89.079989][ T8391] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 89.085960][ T8391] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 89.091929][ T8391] ? kmem_cache_free+0x1c4/0x1f0 [ 89.096921][ T8391] _raw_read_lock+0x5b/0x70 [ 89.101422][ T8391] ? do_fcntl+0x8b4/0x1200 [ 89.105827][ T8391] do_fcntl+0x8b4/0x1200 [ 89.110069][ T8391] ? __context_tracking_exit+0xb8/0xe0 [ 89.115521][ T8391] ? f_getown+0x2a0/0x2a0 [ 89.119850][ T8391] ? __sanitizer_cov_trace_switch+0x63/0xf0 [ 89.125733][ T8391] ? selinux_file_fcntl+0x6f/0x160 [ 89.130838][ T8391] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 89.137079][ T8391] __x64_sys_fcntl+0x165/0x1e0 [ 89.141860][ T8391] do_syscall_64+0x3a/0xb0 [ 89.146321][ T8391] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 89.152226][ T8391] RIP: 0033:0x446d89 [ 89.156107][ T8391] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 89.175704][ T8391] RSP: 002b:00007ffe99039a78 EFLAGS: 00000246 ORIG_RAX: 0000000000000048 [ 89.184217][ T8391] RAX: ffffffffffffffda RBX: 00000000004004a0 RCX: 0000000000446d89 [ 89.192181][ T8391] RDX: 0000000000000000 RSI: 0000000000000010 RDI: 0000000000000006 [ 89.200147][ T8391] RBP: 0000000000406610 R08: 00000000004004a0 R09: 00000000004004a0 [ 89.208122][ T8391] R10: 0000000000400