[ OK ] Found device /dev/ttyS0. [ OK ] Started Permit User Sessions. [ OK ] Started System Logging Service. [ OK ] Started getty on tty2-tty6 if dbus and logind are not available. [ OK ] Started OpenBSD Secure Shell server. [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Started Getty on tty6. [ OK ] Started Getty on tty5. [ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.21' (ECDSA) to the list of known hosts. executing program write to /proc/sys/kernel/hung_task_check_interval_secs failed: No such file or directory syzkaller login: [ 29.791525] [ 29.793683] ===================================================== [ 29.800927] WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected [ 29.807673] 4.14.226-syzkaller #0 Not tainted [ 29.812351] ----------------------------------------------------- [ 29.818997] syz-executor423/7964 [HC0[0]:SC0[2]:HE1:SE0] is trying to acquire: [ 29.827255] (hugetlb_lock){+.+.}, at: [] free_huge_page+0x5ab/0x7f0 [ 29.836431] [ 29.836431] and this task is already holding: [ 29.844489] (slock-AF_INET){+.-.}, at: [] tcp_close+0x540/0xed0 [ 29.852424] which would create a new lock dependency: [ 29.858344] (slock-AF_INET){+.-.} -> (hugetlb_lock){+.+.} [ 29.864802] [ 29.864802] but this new dependency connects a SOFTIRQ-irq-safe lock: [ 29.873578] (slock-AF_INET){+.-.} [ 29.873587] [ 29.873587] ... which became SOFTIRQ-irq-safe at: [ 29.884448] lock_acquire+0x170/0x3f0 [ 29.889292] _raw_spin_lock+0x2a/0x40 [ 29.893790] sk_clone_lock+0x3cf/0x11e0 [ 29.898060] inet_csk_clone_lock+0x1e/0x3f0 [ 29.902707] tcp_create_openreq_child+0x2c/0x1880 [ 29.908113] tcp_v4_syn_recv_sock+0xa8/0xf80 [ 29.913447] tcp_check_req+0x4c1/0x1460 [ 29.918526] tcp_v4_rcv+0x1c36/0x3560 [ 29.923258] ip_local_deliver_finish+0x3f2/0xab0 [ 29.929261] ip_local_deliver+0x167/0x460 [ 29.933998] ip_rcv_finish+0x6e3/0x19f0 [ 29.938988] ip_rcv+0x8a7/0xf10 [ 29.943877] __netif_receive_skb_core+0x15ee/0x2a30 [ 29.949835] __netif_receive_skb+0x27/0x1a0 [ 29.955077] netif_receive_skb_internal+0xd7/0x580 [ 29.961402] napi_gro_receive+0x2e2/0x400 [ 29.966178] receive_buf+0x5ee/0x49f0 [ 29.970746] virtnet_poll+0x4b7/0x960 [ 29.975076] net_rx_action+0x466/0xfd0 [ 29.979848] __do_softirq+0x24d/0x9ff [ 29.984119] irq_exit+0x193/0x240 [ 29.988320] do_IRQ+0x112/0x1d0 [ 29.992797] ret_from_intr+0x0/0x1e [ 29.997125] lock_acquire+0x1ec/0x3f0 [ 30.002136] down_read+0x36/0x80 [ 30.005868] validate_mm+0xd3/0x580 [ 30.010127] __vma_adjust+0x967/0x1770 [ 30.014846] __split_vma+0x3aa/0x6c0 [ 30.019213] split_vma+0x85/0xc0 [ 30.022750] mprotect_fixup+0x6e3/0x8c0 [ 30.027463] do_mprotect_pkey+0x44a/0x7e0 [ 30.032726] SyS_mprotect+0x26/0x30 [ 30.037839] do_syscall_64+0x1d5/0x640 [ 30.043120] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 30.049021] [ 30.049021] to a SOFTIRQ-irq-unsafe lock: [ 30.055749] (hugetlb_lock){+.+.} [ 30.055757] [ 30.055757] ... which became SOFTIRQ-irq-unsafe at: [ 30.067535] ... [ 30.067549] lock_acquire+0x170/0x3f0 [ 30.074608] _raw_spin_lock+0x2a/0x40 [ 30.079007] hugetlb_overcommit_handler+0x283/0x400 [ 30.085034] proc_sys_call_handler.isra.0+0x1ba/0x340 [ 30.090900] __vfs_write+0xe4/0x630 [ 30.094986] vfs_write+0x17f/0x4d0 [ 30.098745] SyS_write+0xf2/0x210 [ 30.103158] do_syscall_64+0x1d5/0x640 [ 30.110334] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 30.117037] [ 30.117037] other info that might help us debug this: [ 30.117037] [ 30.126852] Possible interrupt unsafe locking scenario: [ 30.126852] [ 30.134419] CPU0 CPU1 [ 30.139433] ---- ---- [ 30.146309] lock(hugetlb_lock); [ 30.150000] local_irq_disable(); [ 30.157150] lock(slock-AF_INET); [ 30.163536] lock(hugetlb_lock); [ 30.172122] [ 30.175443] lock(slock-AF_INET); [ 30.180020] [ 30.180020] *** DEADLOCK *** [ 30.180020] [ 30.187144] 3 locks held by syz-executor423/7964: [ 30.192805] #0: (&sb->s_type->i_mutex_key#13){+.+.}, at: [] __sock_release+0x86/0x2b0 [ 30.203208] #1: (sk_lock-AF_INET){+.+.}, at: [] tcp_close+0x25/0xed0 [ 30.214410] #2: (slock-AF_INET){+.-.}, at: [] tcp_close+0x540/0xed0 [ 30.223762] [ 30.223762] the dependencies between SOFTIRQ-irq-safe lock and the holding lock: [ 30.234480] -> (slock-AF_INET){+.-.} ops: 6069 { [ 30.239364] HARDIRQ-ON-W at: [ 30.243008] lock_acquire+0x170/0x3f0 [ 30.249394] _raw_spin_lock_bh+0x2f/0x40 [ 30.255882] lock_sock_nested+0x39/0x100 [ 30.261788] inet_autobind+0x1a/0x180 [ 30.269245] inet_dgram_connect+0x134/0x1f0 [ 30.275768] SyS_connect+0x1f4/0x240 [ 30.282353] do_syscall_64+0x1d5/0x640 [ 30.289465] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 30.297727] IN-SOFTIRQ-W at: [ 30.302373] lock_acquire+0x170/0x3f0 [ 30.308417] _raw_spin_lock+0x2a/0x40 [ 30.315260] sk_clone_lock+0x3cf/0x11e0 [ 30.322042] inet_csk_clone_lock+0x1e/0x3f0 [ 30.330530] tcp_create_openreq_child+0x2c/0x1880 [ 30.338814] tcp_v4_syn_recv_sock+0xa8/0xf80 [ 30.345619] tcp_check_req+0x4c1/0x1460 [ 30.352409] tcp_v4_rcv+0x1c36/0x3560 [ 30.358056] ip_local_deliver_finish+0x3f2/0xab0 [ 30.365948] ip_local_deliver+0x167/0x460 [ 30.371748] ip_rcv_finish+0x6e3/0x19f0 [ 30.379124] ip_rcv+0x8a7/0xf10 [ 30.384622] __netif_receive_skb_core+0x15ee/0x2a30 [ 30.391875] __netif_receive_skb+0x27/0x1a0 [ 30.398828] netif_receive_skb_internal+0xd7/0x580 [ 30.407083] napi_gro_receive+0x2e2/0x400 [ 30.413822] receive_buf+0x5ee/0x49f0 [ 30.420003] virtnet_poll+0x4b7/0x960 [ 30.427587] net_rx_action+0x466/0xfd0 [ 30.433910] __do_softirq+0x24d/0x9ff [ 30.439537] irq_exit+0x193/0x240 [ 30.445135] do_IRQ+0x112/0x1d0 [ 30.450624] ret_from_intr+0x0/0x1e [ 30.456772] lock_acquire+0x1ec/0x3f0 [ 30.463239] down_read+0x36/0x80 [ 30.469297] validate_mm+0xd3/0x580 [ 30.475326] __vma_adjust+0x967/0x1770 [ 30.481743] __split_vma+0x3aa/0x6c0 [ 30.489624] split_vma+0x85/0xc0 [ 30.496359] mprotect_fixup+0x6e3/0x8c0 [ 30.504034] do_mprotect_pkey+0x44a/0x7e0 [ 30.512294] SyS_mprotect+0x26/0x30 [ 30.517913] do_syscall_64+0x1d5/0x640 [ 30.523825] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 30.533304] INITIAL USE at: [ 30.537208] lock_acquire+0x170/0x3f0 [ 30.544078] _raw_spin_lock_bh+0x2f/0x40 [ 30.549788] lock_sock_nested+0x39/0x100 [ 30.555808] inet_autobind+0x1a/0x180 [ 30.562009] inet_dgram_connect+0x134/0x1f0 [ 30.568211] SyS_connect+0x1f4/0x240 [ 30.574594] do_syscall_64+0x1d5/0x640 [ 30.580235] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 30.589637] } [ 30.591722] ... key at: [] af_family_slock_keys+0x10/0x180 [ 30.602188] ... acquired at: [ 30.606002] lock_acquire+0x170/0x3f0 [ 30.610510] _raw_spin_lock+0x2a/0x40 [ 30.615087] free_huge_page+0x5ab/0x7f0 [ 30.620310] __put_page+0xb9/0x2f0 [ 30.624333] skb_release_data+0x25a/0x820 [ 30.629500] __kfree_skb+0x46/0x60 [ 30.633876] tcp_v4_destroy_sock+0x223/0x920 [ 30.638668] inet_csk_destroy_sock+0x169/0x400 [ 30.644521] tcp_close+0x85e/0xed0 [ 30.649611] inet_release+0xdf/0x1b0 [ 30.654740] __sock_release+0xcd/0x2b0 [ 30.659011] sock_close+0x15/0x20 [ 30.663010] __fput+0x25f/0x7a0 [ 30.667665] task_work_run+0x11f/0x190 [ 30.672694] do_exit+0xa44/0x2850 [ 30.677160] do_group_exit+0x100/0x2e0 [ 30.681686] SyS_exit_group+0x19/0x20 [ 30.686009] do_syscall_64+0x1d5/0x640 [ 30.690992] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 30.698234] [ 30.699913] [ 30.699913] the dependencies between the lock to be acquired [ 30.699916] and SOFTIRQ-irq-unsafe lock: [ 30.713525] -> (hugetlb_lock){+.+.} ops: 32 { [ 30.718501] HARDIRQ-ON-W at: [ 30.722010] lock_acquire+0x170/0x3f0 [ 30.728521] _raw_spin_lock+0x2a/0x40 [ 30.735750] hugetlb_overcommit_handler+0x283/0x400 [ 30.747678] proc_sys_call_handler.isra.0+0x1ba/0x340 [ 30.755443] __vfs_write+0xe4/0x630 [ 30.762118] vfs_write+0x17f/0x4d0 [ 30.768431] SyS_write+0xf2/0x210 [ 30.774214] do_syscall_64+0x1d5/0x640 [ 30.780040] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 30.787316] SOFTIRQ-ON-W at: [ 30.790675] lock_acquire+0x170/0x3f0 [ 30.798070] _raw_spin_lock+0x2a/0x40 [ 30.804022] hugetlb_overcommit_handler+0x283/0x400 [ 30.811977] proc_sys_call_handler.isra.0+0x1ba/0x340 [ 30.819583] __vfs_write+0xe4/0x630 [ 30.825343] vfs_write+0x17f/0x4d0 [ 30.831522] SyS_write+0xf2/0x210 [ 30.837590] do_syscall_64+0x1d5/0x640 [ 30.844722] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 30.853823] INITIAL USE at: [ 30.858032] lock_acquire+0x170/0x3f0 [ 30.864246] _raw_spin_lock+0x2a/0x40 [ 30.871182] hugetlb_overcommit_handler+0x283/0x400 [ 30.878542] proc_sys_call_handler.isra.0+0x1ba/0x340 [ 30.887035] __vfs_write+0xe4/0x630 [ 30.893288] vfs_write+0x17f/0x4d0 [ 30.899339] SyS_write+0xf2/0x210 [ 30.905524] do_syscall_64+0x1d5/0x640 [ 30.912074] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 30.920099] } [ 30.922140] ... key at: [] hugetlb_lock+0x18/0x15e0 [ 30.930045] ... acquired at: [ 30.933168] lock_acquire+0x170/0x3f0 [ 30.937497] _raw_spin_lock+0x2a/0x40 [ 30.943412] free_huge_page+0x5ab/0x7f0 [ 30.948133] __put_page+0xb9/0x2f0 [ 30.952242] skb_release_data+0x25a/0x820 [ 30.956770] __kfree_skb+0x46/0x60 [ 30.960862] tcp_v4_destroy_sock+0x223/0x920 [ 30.966266] inet_csk_destroy_sock+0x169/0x400 [ 30.971933] tcp_close+0x85e/0xed0 [ 30.976339] inet_release+0xdf/0x1b0 [ 30.980634] __sock_release+0xcd/0x2b0 [ 30.985486] sock_close+0x15/0x20 [ 30.989652] __fput+0x25f/0x7a0 [ 30.993407] task_work_run+0x11f/0x190 [ 30.997905] do_exit+0xa44/0x2850 [ 31.002241] do_group_exit+0x100/0x2e0 [ 31.007147] SyS_exit_group+0x19/0x20 [ 31.012008] do_syscall_64+0x1d5/0x640 [ 31.017121] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 31.023248] [ 31.025104] [ 31.025104] stack backtrace: [ 31.029998] CPU: 0 PID: 7964 Comm: syz-executor423 Not tainted 4.14.226-syzkaller #0 [ 31.038833] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.048705] Call Trace: [ 31.051516] dump_stack+0x1b2/0x281 [ 31.055429] check_usage.cold+0x806/0xbe6 [ 31.060119] ? check_usage_backwards+0x2c0/0x2c0 [ 31.065551] ? __save_stack_trace+0x63/0x160 [ 31.070333] ? is_bpf_text_address+0x91/0x150 [ 31.075032] ? lock_downgrade+0x740/0x740 [ 31.079413] ? is_bpf_text_address+0xb8/0x150 [ 31.084621] __lock_acquire+0x1cfc/0x3f20 [ 31.088986] ? trace_hardirqs_on+0x10/0x10 [ 31.093571] ? kasan_slab_free+0xc3/0x1a0 [ 31.098109] ? kmem_cache_free+0x7c/0x2b0 [ 31.102423] ? kfree_skbmem+0x7e/0x100 [ 31.106959] ? tcp_v4_destroy_sock+0x223/0x920 [ 31.112184] ? __sock_release+0xcd/0x2b0 [ 31.116543] ? sock_close+0x15/0x20 [ 31.120605] ? __fput+0x25f/0x7a0 [ 31.124225] ? task_work_run+0x11f/0x190 [ 31.128410] ? do_exit+0xa44/0x2850 [ 31.132198] ? do_group_exit+0x100/0x2e0 [ 31.136563] ? SyS_exit_group+0x19/0x20 [ 31.141133] ? entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 31.147411] ? lock_acquire+0x170/0x3f0 [ 31.151734] lock_acquire+0x170/0x3f0 [ 31.155780] ? free_huge_page+0x5ab/0x7f0 [ 31.160492] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 31.166419] _raw_spin_lock+0x2a/0x40 [ 31.171206] ? free_huge_page+0x5ab/0x7f0 [ 31.175844] free_huge_page+0x5ab/0x7f0 [ 31.180984] ? PageHuge+0x93/0x110 [ 31.185796] __put_page+0xb9/0x2f0 [ 31.189946] skb_release_data+0x25a/0x820 [ 31.194874] __kfree_skb+0x46/0x60 [ 31.199181] tcp_v4_destroy_sock+0x223/0x920 [ 31.204384] inet_csk_destroy_sock+0x169/0x400 [ 31.209862] tcp_close+0x85e/0xed0 [ 31.214341] inet_release+0xdf/0x1b0 [ 31.218749] __sock_release+0xcd/0x2b0 [ 31.222777] ? __sock_release+0x2b0/0x2b0 [ 31.227079] sock_close+0x15/0x20 [ 31.230937] __fput+0x25f/0x7a0 [ 31.234608] task_work_run+0x11f/0x190 [ 31.238994] do_exit+0xa44/0x2850 [ 31.242863] ? io_schedule_timeout+0x140/0x140 [ 31.248416] ? mm_update_next_owner+0x5b0/0x5b0 [ 31.253458] ? preempt_schedule_common+0x45/0xc0 [ 31.258717] ? ___preempt_schedule+0x16/0x18 [ 31.263937] do_group_exit+0x100/0x2e0 [ 31.268143] SyS_exit_group+0x19/0x20 [ 31.272411] ? do_group_exit+0x2e0/0x2e0 [ 31.277312] do_syscall_64+0x1d5/0x640 [ 31.281957] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 31.288105] RIP: 0033:0x44b709 [ 31.291689] RSP: 002b:00007ffda82acbf8 EFLAGS: 00000246 ORIG_RAX: 00000000