[ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.84' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 71.516443][ T8462] [ 71.518793][ T8462] ===================================================== [ 71.525719][ T8462] WARNING: HARDIRQ-safe -> HARDIRQ-unsafe lock order detected [ 71.533274][ T8462] 5.14.0-syzkaller #0 Not tainted [ 71.538285][ T8462] ----------------------------------------------------- [ 71.545305][ T8462] syz-executor378/8462 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire: [ 71.553354][ T8462] ffff888021316138 (&f->f_owner.lock){.+.+}-{2:2}, at: send_sigio+0x24/0x380 [ 71.562339][ T8462] [ 71.562339][ T8462] and this task is already holding: [ 71.569706][ T8462] ffff88801cfd0018 (&new->fa_lock){....}-{2:2}, at: kill_fasync+0x132/0x460 [ 71.578406][ T8462] which would create a new lock dependency: [ 71.584271][ T8462] (&new->fa_lock){....}-{2:2} -> (&f->f_owner.lock){.+.+}-{2:2} [ 71.592008][ T8462] [ 71.592008][ T8462] but this new dependency connects a HARDIRQ-irq-safe lock: [ 71.601444][ T8462] (&timer->lock){-...}-{2:2} [ 71.601462][ T8462] [ 71.601462][ T8462] ... which became HARDIRQ-irq-safe at: [ 71.613789][ T8462] lock_acquire+0x1ab/0x510 [ 71.618365][ T8462] _raw_spin_lock+0x2a/0x40 [ 71.622965][ T8462] snd_hrtimer_callback+0x4f/0x3c0 [ 71.628144][ T8462] __hrtimer_run_queues+0x609/0xe50 [ 71.633413][ T8462] hrtimer_interrupt+0x330/0xa00 [ 71.638428][ T8462] __sysvec_apic_timer_interrupt+0x146/0x530 [ 71.644478][ T8462] sysvec_apic_timer_interrupt+0x8e/0xc0 [ 71.650181][ T8462] asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 71.656229][ T8462] lock_acquire+0x1ef/0x510 [ 71.660796][ T8462] fs_reclaim_acquire+0xd2/0x160 [ 71.665812][ T8462] __kmalloc+0x58/0x330 [ 71.670045][ T8462] realloc_user_queue+0x98/0x300 [ 71.675537][ T8462] __snd_timer_user_ioctl.isra.0+0x800/0x24c0 [ 71.681704][ T8462] snd_timer_user_ioctl+0x77/0xb0 [ 71.686919][ T8462] __x64_sys_ioctl+0x193/0x200 [ 71.691767][ T8462] do_syscall_64+0x35/0xb0 [ 71.696257][ T8462] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 71.702223][ T8462] [ 71.702223][ T8462] to a HARDIRQ-irq-unsafe lock: [ 71.709228][ T8462] (&f->f_owner.lock){.+.+}-{2:2} [ 71.709250][ T8462] [ 71.709250][ T8462] ... which became HARDIRQ-irq-unsafe at: [ 71.722132][ T8462] ... [ 71.722138][ T8462] lock_acquire+0x1ab/0x510 [ 71.729319][ T8462] _raw_read_lock+0x5b/0x70 [ 71.733894][ T8462] f_getown+0x23/0x2a0 [ 71.738040][ T8462] do_fcntl+0xbd8/0x1210 [ 71.742365][ T8462] __x64_sys_fcntl+0x165/0x1e0 [ 71.747203][ T8462] do_syscall_64+0x35/0xb0 [ 71.751708][ T8462] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 71.757684][ T8462] [ 71.757684][ T8462] other info that might help us debug this: [ 71.757684][ T8462] [ 71.767886][ T8462] Chain exists of: [ 71.767886][ T8462] &timer->lock --> &new->fa_lock --> &f->f_owner.lock [ 71.767886][ T8462] [ 71.780641][ T8462] Possible interrupt unsafe locking scenario: [ 71.780641][ T8462] [ 71.789078][ T8462] CPU0 CPU1 [ 71.794445][ T8462] ---- ---- [ 71.799785][ T8462] lock(&f->f_owner.lock); [ 71.804274][ T8462] local_irq_disable(); [ 71.811148][ T8462] lock(&timer->lock); [ 71.817824][ T8462] lock(&new->fa_lock); [ 71.824576][ T8462] [ 71.828024][ T8462] lock(&timer->lock); [ 71.832351][ T8462] [ 71.832351][ T8462] *** DEADLOCK *** [ 71.832351][ T8462] [ 71.840473][ T8462] 4 locks held by syz-executor378/8462: [ 71.846082][ T8462] #0: ffff88802b900568 (&tu->ioctl_lock){+.+.}-{3:3}, at: snd_timer_user_ioctl+0x4c/0xb0 [ 71.856153][ T8462] #1: ffff888026ad4148 (&timer->lock){-...}-{2:2}, at: snd_timer_start1+0x5a/0x800 [ 71.865540][ T8462] #2: ffffffff8b97c280 (rcu_read_lock){....}-{1:2}, at: kill_fasync+0x3d/0x460 [ 71.874573][ T8462] #3: ffff88801cfd0018 (&new->fa_lock){....}-{2:2}, at: kill_fasync+0x132/0x460 [ 71.883929][ T8462] [ 71.883929][ T8462] the dependencies between HARDIRQ-irq-safe lock and the holding lock: [ 71.894320][ T8462] -> (&timer->lock){-...}-{2:2} { [ 71.899490][ T8462] IN-HARDIRQ-W at: [ 71.903539][ T8462] lock_acquire+0x1ab/0x510 [ 71.909850][ T8462] _raw_spin_lock+0x2a/0x40 [ 71.916384][ T8462] snd_hrtimer_callback+0x4f/0x3c0 [ 71.923317][ T8462] __hrtimer_run_queues+0x609/0xe50 [ 71.930599][ T8462] hrtimer_interrupt+0x330/0xa00 [ 71.937536][ T8462] __sysvec_apic_timer_interrupt+0x146/0x530 [ 71.945374][ T8462] sysvec_apic_timer_interrupt+0x8e/0xc0 [ 71.952980][ T8462] asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 71.960922][ T8462] lock_acquire+0x1ef/0x510 [ 71.967418][ T8462] fs_reclaim_acquire+0xd2/0x160 [ 71.974186][ T8462] __kmalloc+0x58/0x330 [ 71.980152][ T8462] realloc_user_queue+0x98/0x300 [ 71.986898][ T8462] __snd_timer_user_ioctl.isra.0+0x800/0x24c0 [ 71.994958][ T8462] snd_timer_user_ioctl+0x77/0xb0 [ 72.001802][ T8462] __x64_sys_ioctl+0x193/0x200 [ 72.008386][ T8462] do_syscall_64+0x35/0xb0 [ 72.014614][ T8462] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 72.022413][ T8462] INITIAL USE at: [ 72.026376][ T8462] lock_acquire+0x1ab/0x510 [ 72.032604][ T8462] _raw_spin_lock_irqsave+0x39/0x50 [ 72.039529][ T8462] snd_timer_resolution+0x55/0x100 [ 72.046388][ T8462] initialize_timer+0x183/0x290 [ 72.052980][ T8462] snd_seq_timer_start+0x151/0x290 [ 72.059840][ T8462] snd_seq_control_queue+0x872/0xaa0 [ 72.066851][ T8462] snd_seq_deliver_single_event.constprop.0+0x42b/0x820 [ 72.075517][ T8462] snd_seq_deliver_event+0x4e7/0x970 [ 72.082881][ T8462] snd_seq_kernel_client_dispatch+0x145/0x180 [ 72.090688][ T8462] send_timer_event.isra.0+0x10b/0x160 [ 72.097940][ T8462] snd_seq_oss_timer_start+0x1c3/0x310 [ 72.105135][ T8462] snd_seq_oss_process_event+0xda5/0x27d0 [ 72.112698][ T8462] snd_seq_oss_write+0x227/0x780 [ 72.119466][ T8462] odev_write+0x55/0x90 [ 72.125350][ T8462] vfs_write+0x28e/0xa40 [ 72.131316][ T8462] ksys_write+0x12d/0x250 [ 72.137365][ T8462] do_syscall_64+0x35/0xb0 [ 72.143502][ T8462] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 72.151113][ T8462] } [ 72.153733][ T8462] ... key at: [] __key.12+0x0/0x40 [ 72.161019][ T8462] -> (&new->fa_lock){....}-{2:2} { [ 72.166237][ T8462] INITIAL READ USE at: [ 72.170541][ T8462] lock_acquire+0x1ab/0x510 [ 72.177035][ T8462] _raw_read_lock+0x5b/0x70 [ 72.183516][ T8462] kill_fasync+0x132/0x460 [ 72.190001][ T8462] snd_timer_user_ccallback+0x298/0x330 [ 72.197629][ T8462] snd_timer_notify1+0x11c/0x3b0 [ 72.204545][ T8462] snd_timer_start1+0x4d4/0x800 [ 72.211460][ T8462] snd_timer_user_start.isra.0+0x1e3/0x260 [ 72.219260][ T8462] __snd_timer_user_ioctl.isra.0+0xda8/0x24c0 [ 72.227320][ T8462] snd_timer_user_ioctl+0x77/0xb0 [ 72.234323][ T8462] __x64_sys_ioctl+0x193/0x200 [ 72.241095][ T8462] do_syscall_64+0x35/0xb0 [ 72.247491][ T8462] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 72.255363][ T8462] } [ 72.257859][ T8462] ... key at: [] __key.0+0x0/0x40 [ 72.264965][ T8462] ... acquired at: [ 72.268775][ T8462] _raw_read_lock+0x5b/0x70 [ 72.273454][ T8462] kill_fasync+0x132/0x460 [ 72.278041][ T8462] snd_timer_user_ccallback+0x298/0x330 [ 72.283745][ T8462] snd_timer_notify1+0x11c/0x3b0 [ 72.288843][ T8462] snd_timer_start1+0x4d4/0x800 [ 72.294042][ T8462] snd_timer_user_start.isra.0+0x1e3/0x260 [ 72.300254][ T8462] __snd_timer_user_ioctl.isra.0+0xda8/0x24c0 [ 72.306500][ T8462] snd_timer_user_ioctl+0x77/0xb0 [ 72.311699][ T8462] __x64_sys_ioctl+0x193/0x200 [ 72.316637][ T8462] do_syscall_64+0x35/0xb0 [ 72.321212][ T8462] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 72.328648][ T8462] [ 72.330950][ T8462] [ 72.330950][ T8462] the dependencies between the lock to be acquired [ 72.330956][ T8462] and HARDIRQ-irq-unsafe lock: [ 72.344527][ T8462] -> (&f->f_owner.lock){.+.+}-{2:2} { [ 72.349905][ T8462] HARDIRQ-ON-R at: [ 72.353863][ T8462] lock_acquire+0x1ab/0x510 [ 72.360013][ T8462] _raw_read_lock+0x5b/0x70 [ 72.366148][ T8462] f_getown+0x23/0x2a0 [ 72.371851][ T8462] do_fcntl+0xbd8/0x1210 [ 72.377729][ T8462] __x64_sys_fcntl+0x165/0x1e0 [ 72.384133][ T8462] do_syscall_64+0x35/0xb0 [ 72.390215][ T8462] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 72.397778][ T8462] SOFTIRQ-ON-R at: [ 72.401772][ T8462] lock_acquire+0x1ab/0x510 [ 72.407944][ T8462] _raw_read_lock+0x5b/0x70 [ 72.414110][ T8462] f_getown+0x23/0x2a0 [ 72.419936][ T8462] do_fcntl+0xbd8/0x1210 [ 72.425853][ T8462] __x64_sys_fcntl+0x165/0x1e0 [ 72.432307][ T8462] do_syscall_64+0x35/0xb0 [ 72.438394][ T8462] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 72.445955][ T8462] INITIAL READ USE at: [ 72.450286][ T8462] lock_acquire+0x1ab/0x510 [ 72.456797][ T8462] _raw_read_lock+0x5b/0x70 [ 72.463461][ T8462] f_getown+0x23/0x2a0 [ 72.469687][ T8462] do_fcntl+0xbd8/0x1210 [ 72.475910][ T8462] __x64_sys_fcntl+0x165/0x1e0 [ 72.482675][ T8462] do_syscall_64+0x35/0xb0 [ 72.489072][ T8462] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 72.497050][ T8462] } [ 72.499617][ T8462] ... key at: [] __key.5+0x0/0x40 [ 72.506725][ T8462] ... acquired at: [ 72.510506][ T8462] lock_acquire+0x1ab/0x510 [ 72.515175][ T8462] _raw_read_lock_irqsave+0x70/0x90 [ 72.520527][ T8462] send_sigio+0x24/0x380 [ 72.524928][ T8462] kill_fasync+0x1ec/0x460 [ 72.529501][ T8462] snd_timer_user_ccallback+0x298/0x330 [ 72.535296][ T8462] snd_timer_notify1+0x11c/0x3b0 [ 72.540398][ T8462] snd_timer_start1+0x4d4/0x800 [ 72.545403][ T8462] snd_timer_user_start.isra.0+0x1e3/0x260 [ 72.551364][ T8462] __snd_timer_user_ioctl.isra.0+0xda8/0x24c0 [ 72.557671][ T8462] snd_timer_user_ioctl+0x77/0xb0 [ 72.562906][ T8462] __x64_sys_ioctl+0x193/0x200 [ 72.567825][ T8462] do_syscall_64+0x35/0xb0 [ 72.572398][ T8462] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 72.578459][ T8462] [ 72.580764][ T8462] [ 72.580764][ T8462] stack backtrace: [ 72.586666][ T8462] CPU: 1 PID: 8462 Comm: syz-executor378 Not tainted 5.14.0-syzkaller #0 [ 72.595338][ T8462] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 72.605387][ T8462] Call Trace: [ 72.608652][ T8462] dump_stack_lvl+0xcd/0x134 [ 72.613248][ T8462] check_irq_usage.cold+0x4c1/0x6b0 [ 72.618433][ T8462] ? print_shortest_lock_dependencies_backwards+0x80/0x80 [ 72.625527][ T8462] ? kernel_text_address+0xbd/0xf0 [ 72.630632][ T8462] ? check_path.constprop.0+0x24/0x50 [ 72.636088][ T8462] ? register_lock_class+0xb7/0x10c0 [ 72.641365][ T8462] ? stack_trace_save+0x8c/0xc0 [ 72.646199][ T8462] ? lockdep_lock+0xc6/0x200 [ 72.650776][ T8462] ? call_rcu_zapped+0xb0/0xb0 [ 72.655632][ T8462] __lock_acquire+0x2a1f/0x54a0 [ 72.660477][ T8462] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 72.666451][ T8462] lock_acquire+0x1ab/0x510 [ 72.670949][ T8462] ? send_sigio+0x24/0x380 [ 72.675349][ T8462] ? lock_release+0x720/0x720 [ 72.680017][ T8462] ? lock_release+0x720/0x720 [ 72.684696][ T8462] ? lock_release+0x720/0x720 [ 72.689377][ T8462] _raw_read_lock_irqsave+0x70/0x90 [ 72.694578][ T8462] ? send_sigio+0x24/0x380 [ 72.698979][ T8462] send_sigio+0x24/0x380 [ 72.703207][ T8462] kill_fasync+0x1ec/0x460 [ 72.707696][ T8462] snd_timer_user_ccallback+0x298/0x330 [ 72.713325][ T8462] ? snd_timer_user_append_to_tqueue+0x220/0x220 [ 72.719660][ T8462] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 72.725884][ T8462] ? ktime_get_ts64+0x3bb/0x560 [ 72.730718][ T8462] snd_timer_notify1+0x11c/0x3b0 [ 72.735639][ T8462] ? snd_timer_user_append_to_tqueue+0x220/0x220 [ 72.741951][ T8462] ? rwlock_bug.part.0+0x90/0x90 [ 72.746872][ T8462] ? timer_set_gparams+0x160/0x160 [ 72.751963][ T8462] ? _raw_spin_lock_irqsave+0x4e/0x50 [ 72.757315][ T8462] snd_timer_start1+0x4d4/0x800 [ 72.762168][ T8462] snd_timer_user_start.isra.0+0x1e3/0x260 [ 72.767961][ T8462] __snd_timer_user_ioctl.isra.0+0xda8/0x24c0 [ 72.774160][ T8462] ? snd_timer_user_params.isra.0+0x8c0/0x8c0 [ 72.780227][ T8462] ? lock_release+0x720/0x720 [ 72.784910][ T8462] ? __sanitizer_cov_trace_switch+0x63/0xf0 [ 72.790807][ T8462] ? __mutex_lock+0x5bf/0x10a0 [ 72.795562][ T8462] ? snd_timer_user_ioctl+0x4c/0xb0 [ 72.800850][ T8462] ? find_held_lock+0x2d/0x110 [ 72.805601][ T8462] ? mutex_lock_io_nested+0xf00/0xf00 [ 72.810960][ T8462] ? __context_tracking_exit+0xb8/0xe0 [ 72.816493][ T8462] ? lock_downgrade+0x6e0/0x6e0 [ 72.821414][ T8462] ? lock_downgrade+0x6e0/0x6e0 [ 72.826429][ T8462] snd_timer_user_ioctl+0x77/0xb0 [ 72.831440][ T8462] ? __snd_timer_user_ioctl.isra.0+0x24c0/0x24c0 [ 72.837765][ T8462] __x64_sys_ioctl+0x193/0x200 [ 72.842576][ T8462] do_syscall_64+0x35/0xb0 [ 72.846984][ T8462] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 72.853030][ T8462] RIP: 0033:0x43fbd9 [ 72.856966][ T8462] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 72.876648][ T8462] RSP: 002b:00007ffd34105e68 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 72.885058][ T8462] RAX: ffffffffffffffda RBX: 0000000000400488 RCX: 000000000043fbd9 [ 72.893027][ T8462] RDX: 0000000000000000 RSI: 00000000000054a0 RDI: 0000000000000005 [ 72.901008][ T8462] RBP: 0000000000403bc0 R08: 0000000000400488 R09: 0000000000400488 [ 72.909070][ T8462] R10: 0000000000400488 R11: 0000000000000246 R12: 0000000000403c50 [ 72.917079][ T8462] R13: 0000000000000000 R14: 00000000004ad018